First crack

app/channels/application_cable/connection.rb

@@ -0,0 +1,16 @@
+module ApplicationCable
+  class Connection < ActionCable::Connection::Base
+    identified_by :current_user
+
+    def connect
+      set_current_user || reject_unauthorized_connection
+    end
+
+    private
+      def set_current_user
+        if session = Session.find_by(id: cookies.signed[:session_id])
+          self.current_user = session.user
+        end
+      end
+  end
+end

app/controllers/application_controller.rb

@@ -1,4 +1,5 @@
 class ApplicationController < ActionController::Base
+  include Authentication
   # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
   allow_browser versions: :modern
 

app/controllers/concerns/authentication.rb

@@ -0,0 +1,52 @@
+module Authentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :require_authentication
+    helper_method :authenticated?
+  end
+
+  class_methods do
+    def allow_unauthenticated_access(**options)
+      skip_before_action :require_authentication, **options
+    end
+  end
+
+  private
+    def authenticated?
+      resume_session
+    end
+
+    def require_authentication
+      resume_session || request_authentication
+    end
+
+    def resume_session
+      Current.session ||= find_session_by_cookie
+    end
+
+    def find_session_by_cookie
+      Session.find_by(id: cookies.signed[:session_id]) if cookies.signed[:session_id]
+    end
+
+    def request_authentication
+      session[:return_to_after_authenticating] = request.url
+      redirect_to new_session_path
+    end
+
+    def after_authentication_url
+      session.delete(:return_to_after_authenticating) || root_url
+    end
+
+    def start_new_session_for(user)
+      user.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip).tap do |session|
+        Current.session = session
+        cookies.signed.permanent[:session_id] = { value: session.id, httponly: true, same_site: :lax }
+      end
+    end
+
+    def terminate_session
+      Current.session.destroy
+      cookies.delete(:session_id)
+    end
+end

app/controllers/passwords_controller.rb

@@ -0,0 +1,35 @@
+class PasswordsController < ApplicationController
+  allow_unauthenticated_access
+  before_action :set_user_by_token, only: %i[ edit update ]
+  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_password_path, alert: "Try again later." }
+
+  def new
+  end
+
+  def create
+    if user = User.find_by(email_address: params[:email_address])
+      PasswordsMailer.reset(user).deliver_later
+    end
+
+    redirect_to new_session_path, notice: "Password reset instructions sent (if user with that email address exists)."
+  end
+
+  def edit
+  end
+
+  def update
+    if @user.update(params.permit(:password, :password_confirmation))
+      @user.sessions.destroy_all
+      redirect_to new_session_path, notice: "Password has been reset."
+    else
+      redirect_to edit_password_path(params[:token]), alert: "Passwords did not match."
+    end
+  end
+
+  private
+    def set_user_by_token
+      @user = User.find_by_password_reset_token!(params[:token])
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      redirect_to new_password_path, alert: "Password reset link is invalid or has expired."
+    end
+end

app/controllers/sessions_controller.rb

@@ -0,0 +1,21 @@
+class SessionsController < ApplicationController
+  allow_unauthenticated_access only: %i[ new create ]
+  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }
+
+  def new
+  end
+
+  def create
+    if user = User.authenticate_by(params.permit(:email_address, :password))
+      start_new_session_for user
+      redirect_to after_authentication_url
+    else
+      redirect_to new_session_path, alert: "Try another email address or password."
+    end
+  end
+
+  def destroy
+    terminate_session
+    redirect_to new_session_path, status: :see_other
+  end
+end

app/mailers/passwords_mailer.rb

@@ -0,0 +1,6 @@
+class PasswordsMailer < ApplicationMailer
+  def reset(user)
+    @user = user
+    mail subject: "Reset your password", to: user.email_address
+  end
+end

app/models/application.rb

@@ -0,0 +1,70 @@
+class Application < ApplicationRecord
+  has_many :application_groups, dependent: :destroy
+  has_many :allowed_groups, through: :application_groups, source: :group
+  has_many :oidc_authorization_codes, dependent: :destroy
+  has_many :oidc_access_tokens, dependent: :destroy
+
+  validates :name, presence: true
+  validates :slug, presence: true, uniqueness: { case_sensitive: false },
+                  format: { with: /\A[a-z0-9\-]+\z/, message: "only lowercase letters, numbers, and hyphens" }
+  validates :app_type, presence: true,
+                      inclusion: { in: %w[oidc trusted_header saml] }
+  validates :client_id, uniqueness: { allow_nil: true }
+
+  normalizes :slug, with: ->(slug) { slug.strip.downcase }
+
+  before_validation :generate_client_credentials, on: :create, if: :oidc?
+
+  # Scopes
+  scope :active, -> { where(active: true) }
+  scope :oidc, -> { where(app_type: "oidc") }
+  scope :trusted_header, -> { where(app_type: "trusted_header") }
+  scope :saml, -> { where(app_type: "saml") }
+
+  # Type checks
+  def oidc?
+    app_type == "oidc"
+  end
+
+  def trusted_header?
+    app_type == "trusted_header"
+  end
+
+  def saml?
+    app_type == "saml"
+  end
+
+  # Access control
+  def user_allowed?(user)
+    return false unless active?
+    return false unless user.active?
+
+    # If no groups are specified, allow all active users
+    return true if allowed_groups.empty?
+
+    # Otherwise, user must be in at least one of the allowed groups
+    (user.groups & allowed_groups).any?
+  end
+
+  # OIDC helpers
+  def parsed_redirect_uris
+    return [] unless redirect_uris.present?
+    JSON.parse(redirect_uris)
+  rescue JSON::ParserError
+    redirect_uris.split("\n").map(&:strip).reject(&:blank?)
+  end
+
+  def parsed_metadata
+    return {} unless metadata.present?
+    JSON.parse(metadata)
+  rescue JSON::ParserError
+    {}
+  end
+
+  private
+
+  def generate_client_credentials
+    self.client_id ||= SecureRandom.urlsafe_base64(32)
+    self.client_secret ||= SecureRandom.urlsafe_base64(48)
+  end
+end

app/models/application_group.rb

@@ -0,0 +1,6 @@
+class ApplicationGroup < ApplicationRecord
+  belongs_to :application
+  belongs_to :group
+
+  validates :application_id, uniqueness: { scope: :group_id }
+end

app/models/current.rb

@@ -0,0 +1,4 @@
+class Current < ActiveSupport::CurrentAttributes
+  attribute :session
+  delegate :user, to: :session, allow_nil: true
+end

app/models/group.rb

@@ -0,0 +1,9 @@
+class Group < ApplicationRecord
+  has_many :user_groups, dependent: :destroy
+  has_many :users, through: :user_groups
+  has_many :application_groups, dependent: :destroy
+  has_many :applications, through: :application_groups
+
+  validates :name, presence: true, uniqueness: { case_sensitive: false }
+  normalizes :name, with: ->(name) { name.strip.downcase }
+end

app/models/oidc_access_token.rb

@@ -0,0 +1,34 @@
+class OidcAccessToken < ApplicationRecord
+  belongs_to :application
+  belongs_to :user
+
+  before_validation :generate_token, on: :create
+  before_validation :set_expiry, on: :create
+
+  validates :token, presence: true, uniqueness: true
+
+  scope :valid, -> { where("expires_at > ?", Time.current) }
+  scope :expired, -> { where("expires_at <= ?", Time.current) }
+
+  def expired?
+    expires_at <= Time.current
+  end
+
+  def active?
+    !expired?
+  end
+
+  def revoke!
+    update!(expires_at: Time.current)
+  end
+
+  private
+
+  def generate_token
+    self.token ||= SecureRandom.urlsafe_base64(48)
+  end
+
+  def set_expiry
+    self.expires_at ||= 1.hour.from_now
+  end
+end

app/models/oidc_authorization_code.rb

@@ -0,0 +1,35 @@
+class OidcAuthorizationCode < ApplicationRecord
+  belongs_to :application
+  belongs_to :user
+
+  before_validation :generate_code, on: :create
+  before_validation :set_expiry, on: :create
+
+  validates :code, presence: true, uniqueness: true
+  validates :redirect_uri, presence: true
+
+  scope :valid, -> { where(used: false).where("expires_at > ?", Time.current) }
+  scope :expired, -> { where("expires_at <= ?", Time.current) }
+
+  def expired?
+    expires_at <= Time.current
+  end
+
+  def valid?
+    !used? && !expired?
+  end
+
+  def consume!
+    update!(used: true)
+  end
+
+  private
+
+  def generate_code
+    self.code ||= SecureRandom.urlsafe_base64(32)
+  end
+
+  def set_expiry
+    self.expires_at ||= 10.minutes.from_now
+  end
+end

app/models/session.rb

@@ -0,0 +1,33 @@
+class Session < ApplicationRecord
+  belongs_to :user
+
+  before_create :set_expiry
+  before_save :update_activity
+
+  # Scopes
+  scope :active, -> { where("expires_at > ?", Time.current) }
+  scope :expired, -> { where("expires_at <= ?", Time.current) }
+
+  def expired?
+    expires_at.present? && expires_at <= Time.current
+  end
+
+  def active?
+    !expired?
+  end
+
+  def touch_activity!
+    update_column(:last_activity_at, Time.current)
+  end
+
+  private
+
+  def set_expiry
+    self.expires_at ||= remember_me ? 30.days.from_now : 24.hours.from_now
+    self.last_activity_at ||= Time.current
+  end
+
+  def update_activity
+    self.last_activity_at = Time.current if expires_at_changed? || new_record?
+  end
+end

app/models/user.rb

@@ -0,0 +1,78 @@
+class User < ApplicationRecord
+  has_secure_password
+  has_many :sessions, dependent: :destroy
+  has_many :user_groups, dependent: :destroy
+  has_many :groups, through: :user_groups
+
+  # Token generation for passwordless flows
+  generates_token_for :invitation, expires_in: 7.days
+  generates_token_for :password_reset, expires_in: 1.hour
+  generates_token_for :magic_login, expires_in: 15.minutes
+
+  normalizes :email_address, with: ->(e) { e.strip.downcase }
+
+  validates :email_address, presence: true, uniqueness: { case_sensitive: false },
+                           format: { with: URI::MailTo::EMAIL_REGEXP }
+  validates :status, presence: true,
+                    inclusion: { in: %w[active disabled pending_invitation] }
+
+  # Scopes
+  scope :active, -> { where(status: "active") }
+  scope :admins, -> { where(admin: true) }
+
+  # TOTP methods
+  def totp_enabled?
+    totp_secret.present?
+  end
+
+  def enable_totp!
+    require "rotp"
+    self.totp_secret = ROTP::Base32.random
+    self.backup_codes = generate_backup_codes
+    save!
+  end
+
+  def disable_totp!
+    update!(totp_secret: nil, totp_required: false, backup_codes: nil)
+  end
+
+  def totp_provisioning_uri(issuer: "Clinch")
+    return nil unless totp_enabled?
+
+    require "rotp"
+    totp = ROTP::TOTP.new(totp_secret, issuer: issuer)
+    totp.provisioning_uri(email_address)
+  end
+
+  def verify_totp(code)
+    return false unless totp_enabled?
+
+    require "rotp"
+    totp = ROTP::TOTP.new(totp_secret)
+    totp.verify(code, drift_behind: 30, drift_ahead: 30)
+  end
+
+  def verify_backup_code(code)
+    return false unless backup_codes.present?
+
+    codes = JSON.parse(backup_codes)
+    if codes.include?(code)
+      codes.delete(code)
+      update(backup_codes: codes.to_json)
+      true
+    else
+      false
+    end
+  end
+
+  def parsed_backup_codes
+    return [] unless backup_codes.present?
+    JSON.parse(backup_codes)
+  end
+
+  private
+
+  def generate_backup_codes
+    Array.new(10) { SecureRandom.alphanumeric(8).upcase }.to_json
+  end
+end

app/models/user_group.rb

@@ -0,0 +1,6 @@
+class UserGroup < ApplicationRecord
+  belongs_to :user
+  belongs_to :group
+
+  validates :user_id, uniqueness: { scope: :group_id }
+end

app/views/passwords/edit.html.erb

@@ -0,0 +1,21 @@
+<div class="mx-auto md:w-2/3 w-full">
+  <% if alert = flash[:alert] %>
+    <p class="py-2 px-3 bg-red-50 mb-5 text-red-500 font-medium rounded-lg inline-block" id="alert"><%= alert %></p>
+  <% end %>
+
+  <h1 class="font-bold text-4xl">Update your password</h1>
+
+  <%= form_with url: password_path(params[:token]), method: :put, class: "contents" do |form| %>
+    <div class="my-5">
+      <%= form.password_field :password, required: true, autocomplete: "new-password", placeholder: "Enter new password", maxlength: 72, class: "block shadow-sm rounded-md border border-gray-400 focus:outline-solid focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
+    </div>
+
+    <div class="my-5">
+      <%= form.password_field :password_confirmation, required: true, autocomplete: "new-password", placeholder: "Repeat new password", maxlength: 72, class: "block shadow-sm rounded-md border border-gray-400 focus:outline-solid focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
+    </div>
+
+    <div class="inline">
+      <%= form.submit "Save", class: "w-full sm:w-auto text-center rounded-md px-3.5 py-2.5 bg-blue-600 hover:bg-blue-500 text-white inline-block font-medium cursor-pointer" %>
+    </div>
+  <% end %>
+</div>

app/views/passwords/new.html.erb

@@ -0,0 +1,17 @@
+<div class="mx-auto md:w-2/3 w-full">
+  <% if alert = flash[:alert] %>
+    <p class="py-2 px-3 bg-red-50 mb-5 text-red-500 font-medium rounded-lg inline-block" id="alert"><%= alert %></p>
+  <% end %>
+
+  <h1 class="font-bold text-4xl">Forgot your password?</h1>
+
+  <%= form_with url: passwords_path, class: "contents" do |form| %>
+    <div class="my-5">
+      <%= form.email_field :email_address, required: true, autofocus: true, autocomplete: "username", placeholder: "Enter your email address", value: params[:email_address], class: "block shadow-sm rounded-md border border-gray-400 focus:outline-solid focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
+    </div>
+
+    <div class="inline">
+      <%= form.submit "Email reset instructions", class: "w-full sm:w-auto text-center rounded-lg px-3.5 py-2.5 bg-blue-600 hover:bg-blue-500 text-white inline-block font-medium cursor-pointer" %>
+    </div>
+  <% end %>
+</div>

app/views/passwords_mailer/reset.html.erb

@@ -0,0 +1,6 @@
+<p>
+  You can reset your password on
+  <%= link_to "this password reset page", edit_password_url(@user.password_reset_token) %>.
+
+  This link will expire in <%= distance_of_time_in_words(0, @user.password_reset_token_expires_in) %>.
+</p>

app/views/passwords_mailer/reset.text.erb

@@ -0,0 +1,4 @@
+You can reset your password on
+<%= edit_password_url(@user.password_reset_token) %>
+
+This link will expire in <%= distance_of_time_in_words(0, @user.password_reset_token_expires_in) %>.

app/views/sessions/new.html.erb

@@ -0,0 +1,31 @@
+<div class="mx-auto md:w-2/3 w-full">
+  <% if alert = flash[:alert] %>
+    <p class="py-2 px-3 bg-red-50 mb-5 text-red-500 font-medium rounded-lg inline-block" id="alert"><%= alert %></p>
+  <% end %>
+
+  <% if notice = flash[:notice] %>
+    <p class="py-2 px-3 bg-green-50 mb-5 text-green-500 font-medium rounded-lg inline-block" id="notice"><%= notice %></p>
+  <% end %>
+
+  <h1 class="font-bold text-4xl">Sign in</h1>
+
+  <%= form_with url: session_url, class: "contents" do |form| %>
+    <div class="my-5">
+      <%= form.email_field :email_address, required: true, autofocus: true, autocomplete: "username", placeholder: "Enter your email address", value: params[:email_address], class: "block shadow-sm rounded-md border border-gray-400 focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
+    </div>
+
+    <div class="my-5">
+      <%= form.password_field :password, required: true, autocomplete: "current-password", placeholder: "Enter your password", maxlength: 72, class: "block shadow-sm rounded-md border border-gray-400 focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
+    </div>
+
+    <div class="col-span-6 sm:flex sm:items-center sm:gap-4">
+      <div class="inline">
+        <%= form.submit "Sign in", class: "w-full sm:w-auto text-center rounded-md px-3.5 py-2.5 bg-blue-600 hover:bg-blue-500 text-white inline-block font-medium cursor-pointer" %>
+      </div>
+
+      <div class="mt-4 text-sm text-gray-500 sm:mt-0">
+        <%= link_to "Forgot password?", new_password_path, class: "text-gray-700 underline hover:no-underline" %>
+      </div>
+    </div>
+  <% end %>
+</div>