sidecar_token_auth 1.0.1

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -0,0 +1,283 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class RegistrationsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, only: [:destroy, :update]
+    before_action :validate_sign_up_params, only: :create
+    before_action :validate_account_update_params, only: :update
+    skip_after_action :update_auth_header, only: [:create, :destroy]
+
+    def create
+      build_resource
+
+      unless @resource.present?
+        raise DeviseTokenAuth::Errors::NoResourceDefinedError,
+              "#{self.class.name} #build_resource does not define @resource,"\
+              ' execution stopped.'
+      end
+
+      # give redirect value from params priority
+      @redirect_url = params.fetch(
+        :confirm_success_url,
+        DeviseTokenAuth.default_confirm_success_url
+      )
+
+      # success redirect url is required
+      if confirmable_enabled? && !@redirect_url
+        return render_create_error_missing_confirm_success_url
+      end
+
+      # if whitelist is set, validate redirect_url against whitelist
+      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
+
+      # override email confirmation, must be sent manually from ctrl
+      callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create
+      resource_class.set_callback(callback_name, :after, :send_on_create_confirmation_instructions)
+      resource_class.skip_callback(callback_name, :after, :send_on_create_confirmation_instructions)
+
+      if @resource.respond_to? :skip_confirmation_notification!
+        # Fix duplicate e-mails by disabling Devise confirmation e-mail
+        @resource.skip_confirmation_notification!
+      end
+
+      ##################################################
+      # Custom Logic Start
+      ##################################################
+      if member_emails.include? @resource.email
+        @resource.tap do |user|
+          AssignRole.execute(user)
+        end
+        @resource.organization = member = Member.find_by(email: @resource.email).organization
+      elsif learner_emails.include? @resource.email
+        @resource.add_role :learner
+        @resource.organization = learner = Learner.find_by(email: @resource.email).organization
+      else
+        @resource.owned_organization.licensee = @resource if @resource.owned_organization
+        subscription = Subscription.where(email: @resource.email).last
+        render_create_error_subscription_does_not_exist && return unless subscription
+      end
+      ##################################################
+      # Custom Logic End
+      ##################################################
+
+      if @resource.save
+        ##################################################
+        # Custom Logic Start
+        ##################################################
+        subscription&.update(user: @resource, organization: @resource.owned_organization)
+        ##################################################
+        # Custom Logic End
+        ##################################################
+
+        yield @resource if block_given?
+
+        unless @resource.confirmed?
+          # user will require email authentication
+          @resource.send_confirmation_instructions({
+            client_config: params[:config_name],
+            redirect_url: @redirect_url
+          })
+        end
+
+        if active_for_authentication?
+          # email auth has been bypassed, authenticate user
+          @token = @resource.create_token
+          @resource.save!
+          update_auth_header
+        end
+
+        render_create_success
+      else
+        clean_up_passwords @resource
+        render_create_error
+      end
+    end
+
+    def update
+      if @resource
+        if @resource.send(resource_update_method, account_update_params)
+
+          ##################################################
+          # Custom Logic Start
+          ##################################################
+          @resource.configuration.update(remove_logo: true) if !account_update_params.dig(:configuration_attributes, :logo).nil? && account_update_params.dig(:configuration_attributes, :logo).empty?
+          ##################################################
+          # Custom Logic End
+          ##################################################
+
+          yield @resource if block_given?
+          render_update_success
+        else
+          render_update_error
+        end
+      else
+        render_update_error_user_not_found
+      end
+    end
+
+    def destroy
+      if @resource
+
+        ##################################################
+        # Custom Logic Start
+        ##################################################
+        @resource.soft_delete
+        ##################################################
+        # Custom Logic End
+        ##################################################
+
+        yield @resource if block_given?
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+
+    def sign_up_params
+      params.permit(*params_for_resource(:sign_up))
+    end
+
+    def account_update_params
+      params.permit(*params_for_resource(:account_update))
+    end
+
+    protected
+
+    ##################################################
+    # Custom Logic Start
+    ##################################################
+
+    def render_update_success
+      render json: {
+          status: 'success',
+          data: resource_data(resource_json: UserSerializer.new(@resource))
+      }
+    end
+
+    def render_create_error_subscription_does_not_exist
+      response = {
+          status: 'error',
+          data: resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.subscription_does_not_exist')
+      render_error(422, message, response)
+    end
+
+    ##################################################
+    # Custom Logic End
+    ##################################################
+
+    def build_resource
+      @resource            = resource_class.new(sign_up_params)
+      @resource.provider   = provider
+
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(:email)
+        @resource.email = sign_up_params[:email].try(:downcase)
+      else
+        @resource.email = sign_up_params[:email]
+      end
+    end
+
+    def render_create_error_missing_confirm_success_url
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.missing_confirm_success_url')
+      render_error(422, message, response)
+    end
+
+    def render_create_error_redirect_url_not_allowed
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.redirect_url_not_allowed', redirect_url: @redirect_url)
+      render_error(422, message, response)
+    end
+
+    def render_create_success
+      render json: {
+        status: 'success',
+        data:   resource_data
+      }
+    end
+
+    def render_create_error
+      render json: {
+        status: 'error',
+        data:   resource_data,
+        errors: resource_errors
+      }, status: 422
+    end
+
+    def render_update_error
+      render json: {
+        status: 'error',
+        errors: resource_errors
+      }, status: 422
+    end
+
+    def render_update_error_user_not_found
+      render_error(404, I18n.t('devise_token_auth.registrations.user_not_found'), status: 'error')
+    end
+
+    def render_destroy_success
+      render json: {
+        status: 'success',
+        message: I18n.t('devise_token_auth.registrations.account_with_uid_destroyed', uid: @resource.uid)
+      }
+    end
+
+    def render_destroy_error
+      render_error(404, I18n.t('devise_token_auth.registrations.account_to_destroy_not_found'), status: 'error')
+    end
+
+    private
+
+    ##################################################
+    # Custom Logic Start
+    ##################################################
+
+    def learner_emails
+      Learner.all.collect(&:email)
+    end
+
+    def member_emails
+      Member.all.collect(&:email)
+    end
+
+    ##################################################
+    # Custom Logic End
+    ##################################################
+
+    def resource_update_method
+      if DeviseTokenAuth.check_current_password_before_update == :attributes
+        'update_with_password'
+      elsif DeviseTokenAuth.check_current_password_before_update == :password && account_update_params.key?(:password)
+        'update_with_password'
+      elsif account_update_params.key?(:current_password)
+        'update_with_password'
+      else
+        'update'
+      end
+    end
+
+    def validate_sign_up_params
+      validate_post_data sign_up_params, I18n.t('errors.messages.validate_sign_up_params')
+    end
+
+    def validate_account_update_params
+      validate_post_data account_update_params, I18n.t('errors.messages.validate_account_update_params')
+    end
+
+    def validate_post_data which, message
+      render_error(:unprocessable_entity, message, status: 'error') if which.empty?
+    end
+
+    def active_for_authentication?
+      !@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?
+    end
+  end
+end

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -0,0 +1,245 @@
+# frozen_string_literal: true
+
+# see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/
+module DeviseTokenAuth
+  class SessionsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, only: [:destroy]
+    after_action :reset_session, only: [:destroy]
+
+    ##################################################
+    # Custom Logic Start
+    ##################################################
+
+    before_action :set_organization, only: [:saml]
+
+    def saml
+      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
+      @resource = nil
+      if field
+        q_value = get_case_insensitive_field_from_resource_params(field)
+        @resource = find_resource(field, q_value)
+      end
+
+      if @resource.organization
+        request = OneLogin::RubySaml::Authrequest.new
+        redirect_to(request.create(saml_settings))
+      end
+    end
+
+    def users_saml_auth
+      response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+      @organization = User.find_by(email: response.nameid)&.organization
+      response.settings = saml_settings if @organization
+
+      if response.is_valid?
+        @resource = User.find_by(email: response.nameid)
+        @client_id, @token, @expiry = @resource.create_token
+
+        if confirmable_enabled?
+          @resource.skip_confirmation!
+        end
+
+        sign_in(:user, @resource, store: false, bypass: false)
+        @resource.save!
+
+        redirect_header_options = { success: true }
+        redirect_headers = build_redirect_headers(@token,
+                                                  @client_id,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url('http://sidecarlearning.com/sso',
+                                             redirect_headers))
+      else
+        render json: {
+            success: false,
+            errors: response.errors
+        }
+      end
+    end
+
+    ##################################################
+    # Custom Logic End
+    ##################################################
+
+    def new
+      render_new_error
+    end
+
+    def create
+      # Check
+      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
+
+      @resource = nil
+      if field
+        q_value = get_case_insensitive_field_from_resource_params(field)
+
+        @resource = find_resource(field, q_value)
+      end
+
+      if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?) && @resource.has_active_subscription?
+        valid_password = @resource.valid_password?(resource_params[:password])
+        if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
+          return render_create_error_bad_credentials
+        end
+        @token = @resource.create_token
+        @resource.save
+
+        sign_in(:user, @resource, store: false, bypass: false)
+
+        yield @resource if block_given?
+
+        render_create_success
+
+      ##################################################
+      # Custom Logic Start
+      ##################################################
+
+      elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication? && @resource.has_active_subscription?)
+        if @resource.respond_to?(:locked_at) && @resource.locked_at
+          render_create_error_account_locked
+        elsif @resource.deleted_at?
+          render_create_error_inactive_account
+        elsif !@resource.has_active_subscription?
+          render_create_error_invalid_subscription
+        else
+          render_create_error_not_confirmed
+        end
+
+      ##################################################
+      # Custom Logic End
+      ##################################################
+
+      else
+        render_create_error_bad_credentials
+      end
+    end
+
+    def destroy
+      # remove auth instance variables so that after_action does not run
+      user = remove_instance_variable(:@resource) if @resource
+      client = @token.client if @token.client
+      @token.clear!
+
+      if user && client && user.tokens[client]
+        user.tokens.delete(client)
+        user.save!
+
+        yield user if block_given?
+
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+
+    protected
+
+    ##################################################
+    # Custom Logic Start
+    ##################################################
+
+    def render_create_error_inactive_account
+      render_error(401, I18n.t('devise_token_auth.sessions.inactive_account', email: @resource.email))
+    end
+
+    def render_create_error_invalid_subscription
+      render_error(401, I18n.t('devise_token_auth.sessions.invalid_subscription', email: @resource.email))
+    end
+
+    def saml_settings
+      settings = OneLogin::RubySaml::Settings.new
+
+      settings.assertion_consumer_service_url = "http://localhost:9999/users/saml/auth" # http://localhost:9999/users/saml/auth
+      settings.idp_entity_id                  = @organization.entity_id
+      settings.idp_sso_target_url             = @organization.target_url
+      settings.idp_cert_fingerprint           = @organization.fingerprint
+      settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig##{@organization.fingerprint_algorithm}" # 256
+      settings.name_identifier_format         = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+      settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+      settings.authn_context = %w[urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:oasis:names:tc:SAML:2.0:ac:classes:Password]
+      settings.single_logout_service_binding      = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+
+      settings
+    end
+
+
+    ##################################################
+    # Custom Logic End
+    ##################################################
+
+    def valid_params?(key, val)
+      resource_params[:password] && key && val
+    end
+
+    def get_auth_params
+      auth_key = nil
+      auth_val = nil
+
+      # iterate thru allowed auth keys, use first found
+      resource_class.authentication_keys.each do |k|
+        if resource_params[k]
+          auth_val = resource_params[k]
+          auth_key = k
+          break
+        end
+      end
+
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(auth_key)
+        auth_val.downcase!
+      end
+
+      { key: auth_key, val: auth_val }
+    end
+
+    def render_new_error
+      render_error(405, I18n.t('devise_token_auth.sessions.not_supported'))
+    end
+
+    def render_create_success
+      render json: {
+        data: resource_data(resource_json: @resource.token_validation_response)
+      }
+    end
+
+    def render_create_error_not_confirmed
+      render_error(401, I18n.t('devise_token_auth.sessions.not_confirmed', email: @resource.email))
+    end
+
+    def render_create_error_account_locked
+      render_error(401, I18n.t('devise.mailer.unlock_instructions.account_lock_msg'))
+    end
+
+    def render_create_error_bad_credentials
+      render_error(401, I18n.t('devise_token_auth.sessions.bad_credentials'))
+    end
+
+    def render_destroy_success
+      render json: {
+        success:true
+      }, status: 200
+    end
+
+    def render_destroy_error
+      render_error(404, I18n.t('devise_token_auth.sessions.user_not_found'))
+    end
+
+    private
+
+    ##################################################
+    # Custom Logic Start
+    ##################################################
+
+    def set_organization
+      @organization = Organization.find_by(slug: params[:organization])
+    end
+
+    ##################################################
+    # Custom Logic End
+    ##################################################
+
+    def resource_params
+      params.permit(*params_for_resource(:sign_in))
+    end
+  end
+end