zuora_connect 0 → 3.2.11

data/lib/zuora_connect/controllers/helpers.rb

@@ -5,147 +5,190 @@ module ZuoraConnect
       extend ActiveSupport::Concern
 
       def authenticate_app_api_request
-        #Skip session for api requests
-        Thread.current[:appinstance] = nil
-        request.session_options[:skip] = true
-        ElasticAPM.set_tag(:trace_id, request.uuid) if defined?(ElasticAPM)
-
-        start_time = Time.now
-        if request.headers["API-Token"].present?
-          @appinstance = ZuoraConnect::AppInstance.where(:api_token => request.headers["API-Token"]).first
-          Rails.logger.debug("[#{@appinstance.id}] API REQUEST - API token") if @appinstance.present?
-          check_instance
-        else
-          authenticate_or_request_with_http_basic do |username, password|
-            @appinstance = ZuoraConnect::AppInstance.where(:token => password).first
-            @appinstance ||= ZuoraConnect::AppInstance.where(:api_token => password).first
-            Rails.logger.debug("[#{@appinstance.id}] API REQUEST - Basic Auth") if @appinstance.present?
-            check_instance
-          end
-        end
-        if @appinstance.present?
-          Rails.logger.debug("[#{@appinstance.id}] Authenticate App API Request Completed In - #{(Time.now - start_time).round(2)}s")
-        end
-      end
+        ZuoraConnect::AppInstance.read_master_db do
+          #Skip session for api requests
+          request.session_options[:skip] = true
 
-      def verify_with_navbar
-        if !session[params[:app_instance_ids]].present?
-          host = request.headers["HTTP_X_FORWARDED_HOST"]
-          zuora_client = ZuoraAPI::Login.new(url: "https://#{host}")
-          menus = zuora_client.get_full_nav(cookies.to_h)["menus"]
-          app = menus.select do |item|
-            matches = /(?<=.com\/services\/)(.*?)(?=\?|$)/.match(item["url"])
-            if !matches.blank?
-              matches[0].split("?").first == ENV["DEIS_APP"]
+          Thread.current[:appinstance] = nil
+          if ZuoraConnect.logger.is_a?(Ougai::Logger); ZuoraConnect.logger.with_fields = {}; end
+          if Rails.logger.is_a?(Ougai::Logger); Rails.logger.with_fields = {}; end
+          if defined?(ElasticAPM) && ElasticAPM.running?
+            if ElasticAPM.respond_to?(:set_label)
+              ElasticAPM.set_label(:trace_id, request.uuid) if defined?(ElasticAPM) && ElasticAPM.running?
+            else
+              ElasticAPM.set_label(:trace_id, request.uuid) if defined?(ElasticAPM) && ElasticAPM.running?
             end
           end
 
-          session[params[:app_instance_ids]] = app[0]
-          return app[0]
-        else
-          return session[params[:app_instance_ids]]
-        end
-      end
+          ZuoraConnect::ZuoraUser.current_user_id = request.headers["Zuora-User-Id"]
 
-      def select_instance
-        begin
-          app = verify_with_navbar
+          if request.headers["API-Token"].present?
+            @appinstance = ZuoraConnect::AppInstance.find_by(:api_token => request.headers["API-Token"])
+            ZuoraConnect.logger.debug("API REQUEST - API token") if @appinstance.present?
+            check_instance
+          elsif ZuoraConnect::AppInstance::INTERNAL_HOSTS.include?(request.headers.fetch("HOST", nil)) && request.headers['zuora-host'].present?
+            zuora_host, zuora_entity_id, zuora_instance_id = [request.headers['zuora-host'], (request.headers['zuora-entity-ids'] || "").gsub('-',''), request.headers['zuora-instance-id']]
+            zuora_host_mapping = {'origin-gateway.sbx.auw2.zuora.com' => 'rest.apisandbox.zuora.com',  'origin-gateway.prod.auw2.zuora.com' => 'rest.zuora.com'}
+            zuora_host = zuora_host_mapping[zuora_host] if zuora_host_mapping.keys.include?(zuora_host)
 
-          url_tasks = JSON.parse(Base64.urlsafe_decode64(CGI.parse(URI.parse(app["url"]).query)["app_instance_ids"][0]))
-          @app_instance_ids = JSON.parse(Base64.urlsafe_decode64(params[:app_instance_ids]))
+            #Validate entity-ids present
+            if zuora_entity_id.blank?
+              render json: {"status": 401, "message": "zuora-entity-ids header was not supplied."}, status: :unauthorized
+              return
+            end
+            #Select with instance id if present. Used where mulitple deployments are done.
+            if zuora_instance_id.present?
+              appinstances = ZuoraConnect::AppInstance.where("zuora_entity_ids ?& array[:entities] = true AND zuora_domain = :host AND id = :id", entities: [zuora_entity_id], host: zuora_host, id: zuora_instance_id.to_i)
+            else
+              appinstances = ZuoraConnect::AppInstance.where("zuora_entity_ids ?& array[:entities] = true AND zuora_domain = :host", entities: [zuora_entity_id], host: zuora_host)
+            end
 
-          if (url_tasks & @app_instance_ids).size == @app_instance_ids.size
-            sql = "select name,id from zuora_connect_app_instances where id = ANY(ARRAY#{@app_instance_ids})"
-            result = ActiveRecord::Base.connection.execute(sql)
-            @names = {}
-            result.each do |x|
-              @names[x["id"].to_i] = x["name"]
+            if appinstances.size == 0
+              render json: {"status": 404, "message": "Missing mapping or no deployment for '#{zuora_host}-#{zuora_entity_id}' ."}, status: 404
+              return
+            elsif appinstances.size > 1
+              render json: {"status": 401, "message": "More than one app instance binded to host and entity ids. Please indicate correct instance via 'zuora-instance-id' header", "instances": appinstances.map {|instance| instance.id }.sort }, status: :unauthorized
+              return
+            else
+              @appinstance = appinstances.first
+              check_instance
+            end
+
+          elsif request.headers.fetch("Authorization", "").include?("Basic ")
+            authenticate_or_request_with_http_basic do |username, password|
+              @appinstance = ZuoraConnect::AppInstance.find_by(:token => password)
+              @appinstance ||= ZuoraConnect::AppInstance.find_by(:api_token => password)
+              ZuoraConnect.logger.debug("API REQUEST - Basic Auth") if @appinstance.present?
+              check_instance
             end
-            render "zuora_connect/static/launch"
           else
-            render "zuora_connect/static/invalid_launch_request"
+            check_instance
           end
-        rescue => ex
-          Rails.logger.debug("Error parsing Instance ID's: #{ex.message}")
-          render "zuora_connect/static/invalid_launch_request"
+
+          @zuora_user = ZuoraConnect::ZuoraUser.find_by(zuora_user_id: ZuoraConnect::ZuoraUser.current_user_id)
+          zuora_org_ids = request.headers["Zuora-Org-Ids"]
+          ZuoraConnect::ZuoraUser.current_org_ids = []
+          ZuoraConnect::ZuoraUser.current_org_ids = zuora_org_ids.split(',') if zuora_org_ids
+
+        end
+      rescue ZuoraConnect::Exceptions::ConnectCommunicationError => ex
+        render json: {"status": 400, "message": ex.message}, status: 400
+        return 
+      rescue ZuoraAPI::Exceptions::ZuoraAPIInternalServerError => ex
+        render json: {"status": 500, "message": ex.message}, status: 500
+        return               
+      end
+
+       #API ONLY
+      def check_instance
+        if defined?(@appinstance) && @appinstance.present?
+          if @appinstance.new_session_for_api_requests(:params => params)
+            @appinstance.new_session(:session => @appinstance.data_lookup(:session => session))
+          end
+          Thread.current[:appinstance] = @appinstance
+          PaperTrail.whodunnit = "API User" if defined?(PaperTrail)
+          ElasticAPM.set_user("API User")  if defined?(ElasticAPM) && ElasticAPM.running?
+          return true
+        else
+          response.set_header('WWW-Authenticate', "Basic realm=\"Application\"")
+          render json: {"status": 401, "message": "Access Denied"}, status: :unauthorized
+          return false
         end
       end
 
       def authenticate_connect_app_request
-        ElasticAPM.set_tag(:trace_id, request.uuid) if defined?(ElasticAPM)
-        Thread.current[:appinstance] = nil
-        if params[:app_instance_ids].present? && !params[:app_instance_id].present?
-          begin
-            app_instance_ids = JSON.parse(Base64.urlsafe_decode64(params[:app_instance_ids]))
-            if app_instance_ids.length == 1
-              verify_with_navbar
-              instances = JSON.parse(Base64.urlsafe_decode64(CGI.parse(URI.parse(session[params[:app_instance_ids]]["url"]).query)["app_instance_ids"][0]))
-              if instances.include?(app_instance_ids[0])
-                @appinstance = ZuoraConnect::AppInstance.find(app_instance_ids[0])
-                @appinstance.new_session(session: {})
-                @appinstance.cache_app_instance
-                session["appInstance"] = app_instance_ids[0]
-              else
-                Rails.logger.fatal("Launch Error: Param Instance didnt match session data")
-                render "zuora_connect/static/invalid_launch_request"
-                return
-              end
+        ZuoraConnect::AppInstance.read_master_db do
+          Thread.current[:appinstance] = nil
+          if ZuoraConnect.logger.is_a?(Ougai::Logger); ZuoraConnect.logger.with_fields = {}; end
+          if Rails.logger.is_a?(Ougai::Logger); Rails.logger.with_fields = {}; end
+          if defined?(ElasticAPM) && ElasticAPM.running?
+            if ElasticAPM.respond_to?(:set_label)
+              ElasticAPM.set_label(:trace_id, request.uuid)
             else
-              select_instance
-              return
+              ElasticAPM.set_label(:trace_id, request.uuid)
             end
-          rescue => ex
-            Rails.logger.fatal("Launch Error: #{ex.message}")
-            render "zuora_connect/static/invalid_launch_request"
+          end
+
+          if ZuoraConnect.configuration.mode == "Production"
+            setup_instance_via_prod_mode
+          else
+            setup_instance_via_dev_mode
+          end
+
+          return if performed?
+
+          if !defined?(@appinstance) || @appinstance.blank?
+            render "zuora_connect/static/error_handled", :locals => {
+              :title => "Application state could not be found.",
+              :message => "Please relaunch application."
+            }, :layout => false
             return
           end
-          
-        elsif params[:app_instance_ids].present? && params[:app_instance_id].present?
-          begin
-            instances = JSON.parse(Base64.urlsafe_decode64(CGI.parse(URI.parse(session[params[:app_instance_ids]]["url"]).query)["app_instance_ids"][0]))
-            if instances.include?(params[:app_instance_id].to_i)
-              @appinstance = ZuoraConnect::AppInstance.find(params[:app_instance_id].to_i)
-              @appinstance.new_session(session: {})
-              @appinstance.cache_app_instance
-              session["appInstance"] = params[:app_instance_id].to_i
-            else
-              render "zuora_connect/static/invalid_launch_request"
-              return
+          #Call .data_lookup with the current session to retrieve session. In some cases session may be stored/cache in redis
+          #so data lookup provides a model method that can be overriden per app.
+          if params[:controller] != 'zuora_connect/api/v1/app_instance' && params[:action] != 'drop'
+            if @appinstance.new_session_for_ui_requests(:params => params)
+              @appinstance.new_session(:session => @appinstance.data_lookup(:session => session))
             end
-          rescue => ex
-            Rails.logger.fatal("Launch Error: #{ex.message}")
-            render "zuora_connect/static/invalid_launch_request"
-            return
           end
-        end
-        start_time = Time.now
-        if ZuoraConnect.configuration.mode == "Production"
-          if request["data"] && /^([A-Za-z0-9+\/\-\_]{4})*([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)$/.match(request["data"].to_s)
-            setup_instance_via_data
-          else
-            setup_instance_via_session
+
+          if session["#{@appinstance.id}::user::email"].present?
+            ElasticAPM.set_user(session["#{@appinstance.id}::user::email"])  if defined?(ElasticAPM) && ElasticAPM.running?
+            PaperTrail.whodunnit =  session["#{@appinstance.id}::user::email"] if defined?(PaperTrail)
           end
-        else
-          setup_instance_via_dev_mode
-        end
-        #Call .data_lookup with the current session to retrieve session. In some cases session may be stored/cache in redis 
-        #so data lookup provides a model method that can be overriden per app.
-        if params[:controller] != 'zuora_connect/api/v1/app_instance' && params[:action] != 'drop'
-          if @appinstance.new_session_for_ui_requests(:params => params)
-            @appinstance.new_session(:session => @appinstance.data_lookup(:session => session))
+
+          locale = (session["#{@appinstance.id}::user::locale"] || "").gsub("_", "-")
+          begin
+            I18n.locale = locale.present? ? locale : @appinstance.locale
+          rescue I18n::InvalidLocale => ex
+            if locale.include?("-")
+              locale = locale.split("-").first
+              retry
+            elsif locale != session["#{@appinstance.id}::user::language"]
+              locale = session["#{@appinstance.id}::user::language"]
+              retry
+            end
+            ZuoraConnect.logger.error(ex) if !ZuoraConnect::AppInstance::IGNORED_LOCALS.include?(ex.locale.to_s.downcase)
+          end
+          if @appinstance.user_timezone.blank?
+            @appinstance.set_timezone(timezone: session["#{@appinstance.id}::user::timezone"], type: :default)
           end
         end
-        if session["#{@appinstance.id}::user::email"].present? 
-          ElasticAPM.set_user(session["#{@appinstance.id}::user::email"])  if defined?(ElasticAPM) 
-          PaperTrail.whodunnit =  session["#{@appinstance.id}::user::email"] if defined?(PaperTrail)
+      rescue ZuoraConnect::Exceptions::InvalidCredentialSet => ex
+        id = @appinstance.id
+        ZuoraConnect::AppInstance.destroy(id)
+        Apartment::Tenant.drop(id)
+        render "zuora_connect/static/error_handled", :locals => {
+          :title => "Application Setup Error",
+          :message => "Application cannot be run using Zuora Session. Delete old application \
+          deployment and create new with Zuora Basic or OAuth credentials."
+        }, :layout => false
+        return
+      rescue ZuoraConnect::Exceptions::AccessDenied => ex
+        respond_to do |format|
+          format.html {
+            render "zuora_connect/static/error_handled", :locals => {
+                :title => "Application State Error",
+                :message => ex.message
+              }, status: 401, layout: false
+          }
+          format.js {
+            render "zuora_connect/static/error_handled", :locals => {
+                :title => "Application State Error",
+                :message => ex.message
+              }, status: 401, layout: false
+          }
+          format.json { render json: {'errors' => ex.message}, status: 401 }
+          format.all { render json: ex.message, status: 401 }
         end
-        begin
-          I18n.locale = session["#{@appinstance.id}::user::locale"] ?  session["#{@appinstance.id}::user::locale"] : @appinstance.locale
-        rescue I18n::InvalidLocale => ex
-          Rails.logger.error("Invalid Locale: #{ex.message}")
+        return
+      rescue => ex
+        ZuoraConnect.logger.error("UI Authorization Error", ex)
+        respond_to do |format|
+          format.html { render 'zuora_connect/static/error_unhandled', :locals => {:exception => ex, :skip_exception => true}, status: 500, layout: false }
+          format.js { render 'zuora_connect/static/error_unhandled', :locals => {:exception => ex, :skip_exception => true}, status: 500, layout: false}
         end
-        Time.zone = session["#{@appinstance.id}::user::timezone"] ? session["#{@appinstance.id}::user::timezone"] : @appinstance.timezone
-        Rails.logger.debug("[#{@appinstance.blank? ? "N/A" : @appinstance.id}] Authenticate App Request Completed In - #{(Time.now - start_time).round(2)}s")
+        return
       end
 
       def persist_connect_app_session
@@ -158,103 +201,511 @@ module ZuoraConnect
         end
       end
 
-      def check_connect_admin!
-        raise ZuoraConnect::Exceptions::AccessDenied.new("User is not an authorized admin for this application") if !session["#{@appinstance.id}::admin"]
+      def check_connect_admin!(raise_error: false)
+        if !(session["#{@appinstance.id}::admin"] || @appinstance.zuora_tenant_ids.include?("9"))
+          raise ZuoraConnect::Exceptions::AccessDenied.new("User is not an authorized admin for this application") if raise_error
+
+          respond_to do |format|
+            format.html {
+              render "zuora_connect/static/error_handled", :locals => {
+                  :title => "Unauthorized",
+                  :message => "User is not an authorized admin for this application"
+                }, status: 401, :layout => false
+            }
+            format.js {
+              render "zuora_connect/static/error_handled", :locals => {
+                  :title => "Unauthorized",
+                  :message => "User is not an authorized admin for this application"
+                }, status: 401, :layout => false
+            }
+            format.json { render json: {'errors' => ex.message}, status: 401 }
+            format.all { render json: ex.message, status: 401 }
+          end
+          return
+        end
       end
 
       def check_connect_admin
         return session["#{@appinstance.id}::admin"]
       end
 
-    private
-      def setup_instance_via_data
-        session.clear
-        values = JSON.parse(ZuoraConnect::AppInstance.decrypt_response(Base64.urlsafe_decode64(request["data"])))
-        Rails.logger.debug("Data: #{values.to_json}")
-        if values["param_data"]
-          values["param_data"].each do |k ,v|
-            params[k] = v
+      def zuora_user
+        return @zuora_user
+      end
+
+      def hallway_integration?
+        return (request.headers['ZuoraCurrentEntity'].present? || cookies['ZuoraCurrentEntity'].present?)
+      end
+      def create_new_instance
+        ZuoraConnect::AppInstance.read_master_db do
+          Thread.current[:appinstance] = nil
+          ZuoraConnect.logger.with_fields = {} if ZuoraConnect.logger.is_a?(Ougai::Logger)
+          Rails.logger.with_fields = {} if Rails.logger.is_a?(Ougai::Logger)
+
+          if defined?(ElasticAPM) && ElasticAPM.running? && ElasticAPM.respond_to?(:set_label)
+            ElasticAPM.set_label(:trace_id, request.uuid)
           end
-        end
-        session["#{values["appInstance"]}::destroy"] = values["destroy"]
-        session["appInstance"] = values["appInstance"]
-        if values["current_user"]
-          session["#{values["appInstance"]}::admin"] = values["current_user"]["admin"] ? values["current_user"]["admin"] : false
-          session["#{values["appInstance"]}::user::timezone"] = values["current_user"]["timezone"]
-          session["#{values["appInstance"]}::user::locale"] = values["current_user"]["locale"]
-          session["#{values["appInstance"]}::user::email"] = values["current_user"]["email"]
-        end
 
-        Rails.logger.debug("App Params: #{values.to_json}}") if Rails.env != "production"
+          zuora_host = request.headers['zuora-host']
+          zuora_entity_id = (request.headers['zuora-entity-ids'] || '').gsub(
+            '-',
+            ''
+          ).split(',').first
 
-        @appinstance = ZuoraConnect::AppInstance.where(:id => values["appInstance"].to_i).first
-        if @appinstance.blank?
-          Apartment::Tenant.switch!("public")
-          begin
-            Apartment::Tenant.create(values["appInstance"].to_s)
-          rescue Apartment::TenantExists => ex
-            Rails.logger.debug("Tenant Already Exists")
+          # Validate host present
+          if zuora_host.blank?
+            render json: {
+              status: 401,
+              message: 'zuora-host header was not supplied.'
+            }, status: :unauthorized
+            return
           end
-          @appinstance = ZuoraConnect::AppInstance.new(:api_token =>  values[:api_token],:id => values["appInstance"].to_i, :access_token => values["access_token"].blank? ? values["user"] : values["access_token"], :token => values["refresh_token"]  , :refresh_token => values["refresh_token"].blank? ? values["key"] : values["refresh_token"], :oauth_expires_at => values["expires"])
-          @appinstance.save(:validate => false)
-        else
-          @appinstance.access_token = values["access_token"] if !values["access_token"].blank? && @appinstance.access_token != values["access_token"]
-          @appinstance.refresh_token = values["refresh_token"] if !values["refresh_token"].blank? && @appinstance.refresh_token != values["refresh_token"]
-          @appinstance.oauth_expires_at = values["expires"] if !values["expires"].blank?
-          @appinstance.api_token = values["api_token"] if !values["api_token"].blank? && @appinstance.api_token != values["api_token"]
-          if @appinstance.access_token_changed? && @appinstance.refresh_token_changed?
-            @appinstance.save(:validate => false)
+
+          # Validate entity-ids present
+          if zuora_entity_id.blank?
+            render json: {
+              status: 401,
+              message: 'zuora-entity-ids header was not supplied.'
+            }, status: :unauthorized
+            return
+          end
+
+          rest_domain = ZuoraAPI::Login.new(url: "https://#{zuora_host}").rest_domain
+          app_instance_id = ZuoraConnect::AppInstance.where(
+            'zuora_entity_ids ?& array[:entities] AND zuora_domain = :host',
+            entities: [zuora_entity_id],
+            host: rest_domain
+          ).pluck(:id).first
+
+          if app_instance_id.present?
+            render json: {
+              status: 409,
+              message: 'Instance already exists.',
+              app_instance_id: app_instance_id
+            }, status: 409
           else
-            raise ZuoraConnect::Exceptions::AccessDenied.new("Authorization mistmatch. Possible tampering")
+            Apartment::Tenant.switch!("public")
+            retry_count = 3
+            begin
+              @appinstance = new_instance(
+                next_instance_id,
+                zuora_entity_id,
+                rest_domain,
+                tenant_id: request.headers['zuora-tenant-id'],
+                retry_count: retry_count
+              )
+            rescue ActiveRecord::RecordNotUnique
+              retry if (retry_count -= 1).positive?
+              return
+            end
+
+            app_instance_id = @appinstance.id
           end
-        end     
-      end
 
-      def setup_instance_via_session
-        if session["appInstance"].present?
-          @appinstance = ZuoraConnect::AppInstance.where(:id => session["appInstance"]).first
-        else
-          raise ZuoraConnect::Exceptions::SessionInvalid.new("Session Blank -- Relaunch Application")
+          begin
+            Apartment::Tenant.switch!('public')
+            Apartment::Tenant.create(app_instance_id.to_s)
+          rescue Apartment::TenantExists
+            ZuoraConnect.logger.debug('Tenant Already Exists')
+          end
         end
       end
 
-      def setup_instance_via_dev_mode
-        session["appInstance"] = ZuoraConnect.configuration.dev_mode_appinstance
-        user = ZuoraConnect.configuration.dev_mode_user
-        key = ZuoraConnect.configuration.dev_mode_pass
-        values = {:user => user , :key => key, :appinstance => session["appInstance"]}
-        @appinstance = ZuoraConnect::AppInstance.where(:id => values[:appinstance].to_i).first
-        if @appinstance.blank?
-          Apartment::Tenant.switch!("public")
+    private
+      def setup_instance_via_prod_mode
+        zuora_entity_id = request.headers['ZuoraCurrentEntity'] || cookies['ZuoraCurrentEntity']
+        ZuoraConnect::ZuoraUser.current_user_id = '3'
+
+        if zuora_entity_id.present?
+          zuora_tenant_id = cookies['Zuora-Tenant-Id']
+          zuora_user_id = cookies['Zuora-User-Id']
+          zuora_host = request.headers['HTTP_X_FORWARDED_HOST'] || request.headers['HTTP_ZUORA_HOST'] || 'apisandbox.zuora.com'
+
+          zuora_details = {'host' => zuora_host, 'user_id' => zuora_user_id, 'tenant_id' => zuora_tenant_id, 'entity_id' => zuora_entity_id}
+          auth_headers = {}
+          #Do we need to refresh session identity
+          if request.headers["Zuora-Auth-Token"].present?
+            zuora_client = ZuoraAPI::Oauth.new(url: "https://#{zuora_host}", bearer_token: request.headers["Zuora-Auth-Token"], entity_id: zuora_entity_id, oauth_session_expires_at: Time.now + 5.minutes )
+          elsif cookies['ZSession'].present?
+            zuora_client = ZuoraAPI::Basic.new(url: "https://#{zuora_host}", session: cookies['ZSession'], entity_id: zuora_entity_id)
+            auth_headers.merge!({'Authorization' => "ZSession-a3N2w #{zuora_client.get_session(prefix: false, auth_type: :basic)}"})
+          else
+            render "zuora_connect/static/error_handled", :locals => {
+              :title => "Missing Authorization Token",
+              :message => "Zuora 'Zuora-Auth-Token' header and 'ZSession' cookie not present."
+            }, :layout => false
+            return
+          end
+
           begin
-            Apartment::Tenant.create(values[:appinstance].to_s)
-          rescue Apartment::TenantExists => ex
-            Apartment::Tenant.drop(values[:appinstance].to_s)
-            retry
+            zuora_instance_id = params[:sidebar_launch].to_s.to_bool ? nil : (params[:app_instance_id] || session["appInstance"])
+
+            #Identity blank or current entity different
+            different_zsession = session["ZSession"] != cookies['ZSession']
+            missmatched_entity = session["ZuoraCurrentEntity"] != zuora_entity_id
+            missing_identity = session["ZuoraCurrentIdentity"].blank?
+
+            if (missing_identity || missmatched_entity || different_zsession)
+              zuora_details.merge!({'identity' => {'different_zsession' => different_zsession, 'missing_identity' => missing_identity, 'missmatched_entity' => missmatched_entity}})
+              identity, response = zuora_client.rest_call(
+                url: zuora_client.rest_endpoint("identity"),
+                zuora_track_id: ZuoraConnect::RequestIdMiddleware.zuora_request_id
+              )
+
+              if zuora_entity_id != identity['entityId']
+                if zuora_tenant_id.to_s == "10548"
+                  session.clear
+                  render "zuora_connect/static/error_handled", :locals => {
+                    :title => "Security Testing",
+                    :message => "Ya we know it you"
+                  }, :layout => false
+                  return
+                else
+                  raise ZuoraConnect::Exceptions::Error.new("Header entity id does not match identity call entity id.")
+                end
+              end
+
+              ##
+              # If the ZSession was refreshed, but it's still the same user and they aren't launching from the side bar,
+              # we don't need to continue
+              is_different_user = identity.slice("entityId", "tenantId", "userId", "userProfileId") != (session["ZuoraCurrentIdentity"] || {}).slice("entityId", "tenantId", "userId", "userProfileId")
+              zuora_details["identity"]["entityId"] = identity['entityId']
+              session["ZuoraCurrentIdentity"] = identity
+              session["ZuoraCurrentEntity"] = identity['entityId']
+              session["ZSession"] = cookies['ZSession']
+              if is_different_user || params[:sidebar_launch].to_s.to_bool
+                zuora_instance_id = nil
+                ZuoraConnect.logger.debug("UI Authorization", zuora: zuora_details)
+                client_describe, response = zuora_client.rest_call(
+                  url: zuora_client.rest_endpoint("genesis/user/info").gsub('v1/', ''),
+                  session_type: zuora_client.class == ZuoraAPI::Oauth ? :bearer : :basic,
+                  headers: auth_headers,
+                  zuora_track_id: ZuoraConnect::RequestIdMiddleware.zuora_request_id
+                )
+                session["ZuoraCurrentUserInfo"] = client_describe
+              end
+            end
+
+            if zuora_instance_id.present?
+              appinstances = ZuoraConnect::AppInstance.where("zuora_entity_ids ?& array[:entities] = true AND zuora_domain = :host AND id = :id", entities: [zuora_entity_id], host: zuora_client.rest_domain, id: zuora_instance_id.to_i).pluck(:id, :name)
+            else
+              #if app_instance_ids is present then permissions still controlled by connect
+              if params[:app_instance_ids].present?
+                navbar, response = zuora_client.rest_call(
+                  url: zuora_client.rest_endpoint("navigation"),
+                  zuora_track_id: ZuoraConnect::RequestIdMiddleware.zuora_request_id
+                )
+                urls = navbar['menus'].map {|x| x['url']}
+                app_env = ENV["DEIS_APP"] || "xyz123"
+                url = urls.compact.select {|url| File.basename(url).start_with?(app_env + '?')}.first
+                if url.blank?
+                  if navbar['menus'].map {|x| x['label']}.include?('Link Connect Account')
+                    render "zuora_connect/static/error_handled", :locals => {
+                      :title => "Link Account",
+                      :message => "Link Connect account to gain access to application."
+                    }, :layout => false
+                    return
+                  end
+                  raise ZuoraConnect::Exceptions::APIError.new(message: "#{app_env} navbar url was blank", response: response)
+                else
+                  query_params = CGI.parse(URI.parse(url).query)
+                  app_instance_ids = query_params["app_instance_ids"][0]
+                  if app_instance_ids.present?
+                    begin
+                      task_ids = JSON.parse(Base64.urlsafe_decode64(app_instance_ids))
+
+                      appinstances = ZuoraConnect::AppInstance.where(:id => task_ids).pluck(:id, :name)
+                    rescue => ex
+                      raise ZuoraConnect::Exceptions::APIError.new(message: "Failure in parsing the navbar urls.", response: response)
+                    end
+                  end
+                end
+              end
+              appinstances ||= ZuoraConnect::AppInstance.where("zuora_entity_ids ?& array[:entities] = true AND zuora_domain = :host", entities: [zuora_entity_id], host: zuora_client.rest_domain).pluck(:id, :name)
+            end
+
+            zuora_user_id = cookies['Zuora-User-Id'] || session["ZuoraCurrentIdentity"]['userId'] || request.headers["Zuora-User-Id"]
+
+            if appinstances.size == 1
+              ZuoraConnect.logger.debug("Instance is #{appinstances.to_h.keys.first}")
+              @appinstance = ZuoraConnect::AppInstance.find(appinstances.to_h.keys.first)
+            end
+
+            # One deployed instance with credentials
+            if defined?(@appinstance) && !@appinstance['zuora_logins'].nil?
+              @zuora_user = ZuoraConnect::ZuoraUser.update_id_response(
+                zuora_user_id, zuora_entity_id, session["ZuoraCurrentIdentity"],
+                @appinstance,
+                session['ZuoraCurrentUserInfo']['permissions']
+              )
+              @zuora_user.session = session
+              ZuoraConnect::ZuoraUser.current_user_id = zuora_user_id
+              session["#{@appinstance.id}::user::localUserId"] = @zuora_user.id
+              session["#{@appinstance.id}::user::email"] = session['ZuoraCurrentIdentity']["username"]
+              session["#{@appinstance.id}::user::timezone"] = session['ZuoraCurrentIdentity']["timeZone"]
+              session["#{@appinstance.id}::user::language"] = session['ZuoraCurrentIdentity']["language"]
+              session["#{@appinstance.id}::user::locale"] = session['ZuoraCurrentIdentity']["locale"]
+              session["appInstance"] = @appinstance.id
+
+            #We have multiple, user must pick
+            elsif appinstances.size > 1
+              ZuoraConnect.logger.debug("User must select instance. #{@names}")
+              render "zuora_connect/static/launch", :locals => {:names => appinstances.to_h}, :layout => false
+              return
+
+            #We have no deployed instance for this tenant
+            else
+              if ZuoraConnect.configuration.disable_provisioning
+                raise ZuoraConnect::Exceptions::AccessDenied.new("Provisioning is suspended")
+              end
+
+              #Ensure user can access oauth creation API
+              if !session["ZuoraCurrentUserInfo"]['permissions'].include?("permission.userManagement")
+                Thread.current[:appinstance] = nil
+                session["appInstance"] = nil
+                render "zuora_connect/static/error_handled", :locals => {
+                  :title => "Application can only complete its initial setup via platform administrator",
+                  :message => "Please contact admin who has user managment permissions in tenant and have them click and finish setup."
+                }, :layout => false
+                return
+              end
+              Apartment::Tenant.switch!("public")
+              retry_count = 3
+              task_data = {}
+              begin
+                ActiveRecord::Base.transaction do
+                  ActiveRecord::Base.connection.execute('LOCK public.zuora_users IN ACCESS EXCLUSIVE MODE')
+
+                  unless defined?(@appinstance)
+                    appinstances = ZuoraConnect::AppInstance.where("zuora_entity_ids ?& array[:entities] = true AND zuora_domain = :host", entities: [zuora_entity_id], host: zuora_client.rest_domain).pluck(:id, :name)
+
+                    if appinstances.size > 0
+                      redirect_to "https://#{zuora_host}/apps/newlogin.do?retURL=#{request.fullpath}&pos=0"
+                      return
+                    end
+                  end
+
+                  next_id = defined?(@appinstance) ? @appinstance.id : next_instance_id
+                  if task_data.blank?
+                    user = (ENV['DEIS_APP'] || "Application").split('-').map(&:capitalize).join(' ')
+                    body = {
+                      'userId' => zuora_user_id,
+                      'entityIds' => [zuora_entity_id.unpack("a8a4a4a4a12").join('-')],
+                      'customAuthorities' => [],
+                      'additionalInformation' => {
+                        'description' => "This user is for #{user} application.",
+                        'name' => "#{user} API User #{next_id}"
+                      }
+                    }
+
+                    oauth_response, response = zuora_client.rest_call(
+                      method: :post,
+                      body: body.to_json,
+                      url: zuora_client.rest_endpoint("genesis/clients").gsub('v1/', ''),
+                      session_type: zuora_client.class == ZuoraAPI::Oauth ? :bearer : :basic,
+                      headers: auth_headers,
+                      zuora_track_id: ZuoraConnect::RequestIdMiddleware.zuora_request_id
+                    )
+
+                    new_zuora_client = ZuoraAPI::Oauth.new(url: "https://#{zuora_host}", oauth_client_id: oauth_response["clientId"], oauth_secret: oauth_response["clientSecret"] )
+                    if session["ZuoraCurrentUserInfo"].blank?
+                      client_describe, response = new_zuora_client.rest_call(
+                        url: zuora_client.rest_endpoint("genesis/user/info").gsub('v1/', ''), 
+                        session_type: :bearer,
+                        zuora_track_id: ZuoraConnect::RequestIdMiddleware.zuora_request_id
+                      )
+                    else
+                      client_describe = session["ZuoraCurrentUserInfo"]
+                    end
+
+                    available_entities = client_describe["accessibleEntities"].select {|entity| entity['id'] == zuora_entity_id}
+                    task_data = {
+                      "id": next_id,
+                      "name": client_describe["tenantName"],
+                      "mode": "Collections",
+                      "status": "Running",
+                      ZuoraConnect::AppInstance::LOGIN_TENANT_DESTINATION => {
+                        "tenant_type": "Zuora",
+                        "username": session["ZuoraCurrentIdentity"]["username"],
+                        "url": new_zuora_client.url,
+                        "status": "Active",
+                        "oauth_client_id": oauth_response['clientId'],
+                        "oauth_secret": oauth_response['clientSecret'],
+                        "authentication_type": "OAUTH",
+                        "entities": available_entities.map {|e| e.merge({'displayName' => client_describe["tenantName"]})}
+                      },
+                      "tenant_ids": available_entities.map{|e| e['entityId']}.uniq,
+                    }
+                  end
+
+                  if defined?(@appinstance)
+                    @appinstance.zuora_logins = task_data
+                    @appinstance.save(:validate => false)
+                  else
+                    @appinstance = new_instance(
+                      next_id,
+                      zuora_entity_id,
+                      zuora_client.rest_domain,
+                      task_data: task_data,
+                      retry_count: retry_count
+                    )
+                  end
+                end
+              rescue ActiveRecord::RecordNotUnique
+                retry if (retry_count -= 1).positive?
+                return
+              end
+
+              Apartment::Tenant.switch!("public")
+              begin
+                Apartment::Tenant.create(@appinstance.id.to_s)
+              rescue Apartment::TenantExists => ex
+                ZuoraConnect.logger.debug("Tenant Already Exists")
+              end
+              @appinstance.refresh
+              session["appInstance"] = @appinstance.id
+            end
+
+            zuora_org_ids = cookies['Zuora-Org-Ids'] || request.headers['Zuora-Org-Ids']
+            ZuoraConnect::ZuoraUser.current_org_ids = []
+            ZuoraConnect::ZuoraUser.current_org_ids = zuora_org_ids.split('|') if zuora_org_ids
+
+          rescue ZuoraAPI::Exceptions::ZuoraAPIAuthenticationTypeError => ex
+            output_xml, input_xml, response = zuora_client.soap_call(errors: [], z_session: false, zuora_track_id: ZuoraConnect::RequestIdMiddleware.zuora_request_id) do |xml|
+              xml['api'].getUserInfo
+            end
+            final_error = output_xml.xpath('//fns:FaultCode', 'fns' =>'http://fault.api.zuora.com/').text
+            session.clear
+            if final_error.blank?
+              ZuoraConnect.logger.warn("UI Authorization Error", ex, response: { params: response.body })
+            elsif final_error != "INVALID_SESSION"
+              ZuoraConnect.logger.warn("UI Authorization Error", ex, response: { params: final_error })
+            else
+              ZuoraConnect.logger.info("UI Authorization Error", ex, response: { params: final_error })
+            end
+            redirect_to "https://#{zuora_host}/apps/newlogin.do?retURL=#{request.fullpath}&pos=1"
+            return
+
+          rescue ZuoraAPI::Exceptions::ZuoraAPIError, Exception => ex
+            if ex.message.include?("Referenced User resource(s) not found") && ex.class == ZuoraAPI::Exceptions::ZuoraAPIError
+              locals = {title: "Provisioning Error", message: "New tenants need to be provisioned by API Gateway('#{ex.message}'). Please contact support."}
+              render "zuora_connect/static/error_handled", locals: locals, status: 200, layout: false
+            else
+              session.clear
+              if defined?(ex.response) && ex.response.present? && defined?(ex.response.body)
+                zuora_details.merge!({:error => ex.response.body})
+              end
+              ZuoraConnect.logger.error("UI Authorization Error", ex, zuora: zuora_details)
+
+              respond_to do |format|
+                format.html {
+                  render "zuora_connect/static/error_unhandled", locals: {exception: ex, skip_exception: true}, layout: false, status: 500
+                }
+                format.js {
+                  render "zuora_connect/static/error_unhandled", locals: {exception: ex, skip_exception: true}, layout: false, status: 500
+                }
+              end
+            end
+            return
+          end
+        elsif request["data"].present? && (request["connectInstanceId"].present? || /^([A-Za-z0-9+\/\-\_]{4})*([A-Za-z0-9+\/]{4}|[A-Za-z0-9+-_\/]{3}=|[A-Za-z0-9+\/]{2}==)$/.match(request["data"].to_s))
+          session.clear
+          values = JSON.parse(ZuoraConnect::AppInstance.decrypt_response(Base64.urlsafe_decode64(request["data"])))
+          values.fetch("param_data", {}).each do |k ,v|
+            params[k] = v
+          end
+          session["#{values["appInstance"]}::destroy"] = values["destroy"]
+          session["appInstance"] = values["appInstance"]
+          if values["current_user"]
+            session["#{values["appInstance"]}::admin"] = values["current_user"]["admin"] ? values["current_user"]["admin"] : false
+            session["#{values["appInstance"]}::user::timezone"] = values["current_user"]["timezone"]
+            session["#{values["appInstance"]}::user::locale"] = values["current_user"]["locale"]
+            session["#{values["appInstance"]}::user::email"] = values["current_user"]["email"]
           end
 
-          @appinstance = ZuoraConnect::AppInstance.new(:id => values[:appinstance].to_i, :access_token => values[:user], :refresh_token => values[:key], :token => "#{values[:key]}#{values[:key]}", :api_token => "#{values[:key]}#{values[:key]}")
-          @appinstance.save(:validate => false)
-        end
-        if @appinstance.access_token.blank? || @appinstance.refresh_token.blank? || @appinstance.token.blank? || @appinstance.api_token.blank?
-          @appinstance.update_attributes!(:access_token =>  values["user"], :refresh_token =>  values["key"], :token => "#{values[:key]}#{values[:key]}", :api_token => "#{values[:key]}#{values[:key]}")
+          @appinstance = ZuoraConnect::AppInstance.find_by(:id => values["appInstance"].to_i)
+
+          if @appinstance.blank?
+            if ZuoraConnect.configuration.disable_provisioning
+              raise ZuoraConnect::Exceptions::AccessDenied.new("Provisioning is suspended")
+            end
+
+            Apartment::Tenant.switch!("public")
+            begin
+              Apartment::Tenant.create(values["appInstance"].to_s)
+            rescue Apartment::TenantExists => ex
+              ZuoraConnect.logger.debug("Tenant Already Exists")
+            end
+            mapped_values = {:api_token => values['api_token'], :token => values['api_token'], :access_token => values["access_token"], :refresh_token => values["refresh_token"], :oauth_expires_at => values["expires"]}
+            @appinstance = ZuoraConnect::AppInstance.new(mapped_values.merge({:id => values["appInstance"].to_i}))
+            @appinstance.save(:validate => false)
+          else
+            mapped_values = {:access_token => values["access_token"], :refresh_token => values["refresh_token"], :oauth_expires_at => values["expires"]}
+            @appinstance.assign_attributes(mapped_values)
+            if @appinstance.access_token_changed? && @appinstance.refresh_token_changed?
+              @appinstance.save(:validate => false)
+            else
+              raise ZuoraConnect::Exceptions::AccessDenied.new("Authorization mismatch. Possible tampering with session.")
+            end
+          end
+        else
+          if session["appInstance"].present?
+            @appinstance = ZuoraConnect::AppInstance.find_by(:id => session["appInstance"])
+          else
+            if ZuoraConnect::AppInstance::INTERNAL_HOSTS.include?(request.headers.fetch("HOST", nil)) 
+              render "zuora_connect/application/ldap_login", :layout => false
+              return
+            else
+              raise ZuoraConnect::Exceptions::AccessDenied.new("No application state or session found.")
+            end
+          end
         end
-        session["#{@appinstance.id}::admin"] =  ZuoraConnect.configuration.dev_mode_admin
       end
 
-      #API ONLY
-      def check_instance
-        if @appinstance.present?
-          if @appinstance.new_session_for_api_requests(:params => params)
-            @appinstance.new_session(:session => @appinstance.data_lookup(:session => session))
-          end
-          Thread.current[:appinstance] = @appinstance
-          PaperTrail.whodunnit = "API User" if defined?(PaperTrail)
-          ElasticAPM.set_user("API User")  if defined?(ElasticAPM) 
-          return true
+      def next_instance_id
+        min_instance_id = 24_999_999
+        (ZuoraConnect::AppInstance.all.where("id > #{min_instance_id}").order(id: :desc).limit(1).pluck(:id).first || min_instance_id) + 1
+      end
+
+      def new_instance(id, zuora_entity_id, rest_domain, tenant_id: nil, task_data: nil, retry_count: 0)
+        app_instance = ZuoraConnect::AppInstance.new(
+          :id => id,
+          :api_token => generate_token,
+          :token => generate_token,
+          :oauth_expires_at => Time.now + 1000.years,
+          :zuora_domain => rest_domain,
+          :zuora_entity_ids => [zuora_entity_id]
+        )
+
+        app_instance[:zuora_tenant_ids] = [tenant_id.to_s] if tenant_id.present?
+
+        if task_data.nil?
+          # no encryption
+          app_instance['zuora_logins'] = task_data
         else
-          render text: "Access Denied", status: :unauthorized
+          # kms encrypt
+          app_instance.zuora_logins = task_data
         end
+
+        begin
+          app_instance.save(:validate => false)
+        rescue ActiveRecord::RecordNotUnique
+          raise if retry_count > 1
+
+          Thread.current[:appinstance] = nil
+          session['appInstance'] = nil
+          render 'zuora_connect/static/error_handled', :locals => {
+            :title => 'Application could not create unique tokens.',
+            :message => 'Please contact support or retry launching application.'
+          }, :layout => false
+          return
+        end
+
+        app_instance
+      end
+
+      def generate_token
+        rand(36**64).to_s(36)
       end
     end
   end