Feature: SOFIA-local accounts with login (with optional 2fa) (#925)

* added local accounts with login and 2fa

* added tests for logging in

* added translation for forgot password page

* fixed some stuff

* finished tests

* rubocop autofixes

* fixes css linting warning

* merge?

* fixed schema

* fixed bunch of rubocop linting

* Fixed all rubocop linting errors

* fix tests

* change check for association

* improve the lint

* improve schema.rb

* change schema to use new migration date

* use build in way for checking mails

* change Null constraints

* make majority of coderabbits its suggestions

* fix some more code rabbit suggeestions

* fix tests and lint

* fixx tests

---------

Co-authored-by: Lodewiges <[email protected]>

Author: Ellen-Wittingen

Gemfile

@@ -1,5 +1,6 @@
 source 'https://rubygems.org'
 
+gem 'active_model_otp', '~> 2.3', '>= 2.3.1'
 gem 'bcrypt', '~> 3.1.20'
 gem 'bootsnap', '~> 1.19.0'
 gem 'browser', '~> 6.2.0'
@@ -19,6 +20,7 @@ gem 'net-imap', '~> 0.5.12'
 gem 'net-pop',  '~> 0.1.2'
 gem 'net-smtp', '~> 0.5.1'
 gem 'omniauth', '~> 2.1.4'
+gem 'omniauth-identity', '~> 3.1', '>= 3.1.2'
 gem 'omniauth-oauth2', '~> 1.8.0'
 gem 'omniauth-rails_csrf_protection', '~> 1.0'
 gem 'paper_trail', '~> 17.0.0'
@@ -31,6 +33,7 @@ gem 'rails', '~> 7.2.3'
 gem 'rails-i18n', '~> 7.0.10'
 gem 'redis', '~> 5.0'
 gem 'rest-client', '~> 2.1.0'
+gem 'rqrcode', '~> 2.2'
 gem 'sentry-rails', '~> 6.1', '>= 6.1.1'
 gem 'sentry-ruby', '~> 6.1', '>= 6.1.1'
 gem 'sentry-sidekiq', '~> 6.1', '>= 6.1.1'

Gemfile.lock

@@ -47,6 +47,9 @@ GEM
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
+    active_model_otp (2.3.4)
+      activemodel
+      rotp (~> 6.3.0)
     activejob (7.2.3)
       activesupport (= 7.2.3)
       globalid (>= 0.3.6)
@@ -111,10 +114,11 @@ GEM
       capistrano-bundler
       sidekiq (>= 7.0)
     cgi (0.5.0)
+    chunky_png (1.4.0)
     coderay (1.1.3)
     colorize (1.1.0)
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.4)
+    connection_pool (2.5.5)
     crass (1.0.6)
     cssbundling-rails (1.4.3)
       railties (>= 6.0.0)
@@ -278,6 +282,7 @@ GEM
     multi_json (1.17.0)
     multi_xml (0.7.2)
       bigdecimal (~> 3.1)
+    mutex_m (0.3.0)
     nenv (0.3.0)
     net-http (0.6.0)
       uri
@@ -315,6 +320,11 @@ GEM
       logger
       rack (>= 2.2.3)
       rack-protection
+    omniauth-identity (3.1.5)
+      bcrypt (~> 3.1)
+      mutex_m (~> 0.1)
+      omniauth (>= 1)
+      version_gem (~> 1.1, >= 1.1.9)
     omniauth-oauth2 (1.8.0)
       oauth2 (>= 1.4, < 3)
       omniauth (~> 2.0)
@@ -413,7 +423,7 @@ GEM
     rb-inotify (0.11.1)
       ffi (~> 1.0)
     rb-readline (0.5.5)
-    rdoc (6.15.1)
+    rdoc (6.16.1)
       erb
       psych (>= 4.0.0)
       tsort
@@ -434,7 +444,12 @@ GEM
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
+    rotp (6.3.0)
     rouge (4.6.1)
+    rqrcode (2.2.0)
+      chunky_png (~> 1.0)
+      rqrcode_core (~> 1.0)
+    rqrcode_core (1.2.0)
     rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -444,7 +459,7 @@ GEM
     rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.6)
+    rspec-mocks (3.13.7)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-rails (8.0.2)
@@ -594,6 +609,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  active_model_otp (~> 2.3, >= 2.3.1)
   awesome_print (~> 1.9.2)
   bcrypt (~> 3.1.20)
   better_errors (~> 2.10.1)
@@ -626,6 +642,7 @@ DEPENDENCIES
   net-pop (~> 0.1.2)
   net-smtp (~> 0.5.1)
   omniauth (~> 2.1.4)
+  omniauth-identity (~> 3.1, >= 3.1.2)
   omniauth-oauth2 (~> 1.8.0)
   omniauth-rails_csrf_protection (~> 1.0)
   paper_trail (~> 17.0.0)
@@ -642,6 +659,7 @@ DEPENDENCIES
   rb-readline (~> 0.5.5)
   redis (~> 5.0)
   rest-client (~> 2.1.0)
+  rqrcode (~> 2.2)
   rspec-rails (~> 8.0.2)
   rubocop (~> 1.81.7)
   rubocop-factory_bot (~> 2.28.0)

app/assets/stylesheets/application.scss

@@ -81,6 +81,20 @@ a {
   }
 }
 
+.sofia-account-input {
+  min-width: 18rem;
+}
+
+.qr-code {
+  max-width: 20rem;
+}
+
+main {
+  // Wanneer er veel activiteiten zijn, gaat de quote onderaan de 
+  // pagina onder de footer, dus voeg padding toe met de hoogte van de footer
+  padding-bottom: 48px;
+}
+
 .btn-login {
   width: 100%
 }

app/controllers/application_controller.rb

@@ -1,6 +1,8 @@
 class ApplicationController < ActionController::Base
   include Pundit::Authorization
 
+  protect_from_forgery with: :exception, prepend: true
+
   before_action :set_sentry_context
   before_action :set_paper_trail_whodunnit
   before_action :set_layout_flag
@@ -34,4 +36,8 @@ def set_layout_flag
     @show_navigationbar = true
     @show_extras = true
   end
+
+  def normalize_error_messages(full_messages)
+    full_messages.map(&:downcase).join(', ')
+  end
 end

app/controllers/callbacks_controller.rb

@@ -2,11 +2,66 @@ class CallbacksController < Devise::OmniauthCallbacksController
   def amber_oauth2
     user = User.from_omniauth(request.env['omniauth.auth'])
 
-    if user.persisted?
+    if user&.persisted?
       sign_in(:user, user)
       redirect_to user.roles.any? ? root_path : user_path(user.id)
     else
-      redirect_to root_path, flash: { error: 'Authentication failed' }
+      redirect_to root_path, flash: { error: 'Inloggen gefaald.' }
     end
   end
+
+  def identity
+    user = User.from_omniauth_inspect(request.env['omniauth.auth'])
+
+    if user&.persisted?
+      if user.deactivated
+        render(json: { state: 'password_prompt', error_message: 'Uw account is gedeactiveerd, dus inloggen is niet mogelijk.' })
+      else
+        check_identity_with_user(user, SofiaAccount.find_by(user_id: user.id))
+      end
+    else
+      render(json: { state: 'password_prompt', error_message: 'Inloggen mislukt. De ingevulde gegevens zijn incorrect.' })
+    end
+  end
+
+  def check_identity_with_user(user, sofia_account)
+    if sofia_account&.otp_enabled
+      check_identity_with_otp(sofia_account, user)
+    elsif sofia_account
+      # no OTP enabled
+      sign_in(:user, user)
+      render(json: { state: 'logged_in', redirect_url: user.roles.any? ? root_path : user_path(user.id) })
+    else
+      # sofia_account does not exist, should not be possible
+      render(json: { state: 'password_prompt', error_message: 'Inloggen mislukt door een error. Herlaad de pagina en probeer het nog
+                                                               een keer. <br/><i>Werkt het na een paar keer proberen nog steeds niet?
+                                                               Neem dan contact op met de ICT-commissie.</i>' })
+    end
+  end
+
+  def check_identity_with_otp(sofia_account, user)
+    if params[:verification_code].blank?
+      # OTP code not present, so request it
+      render(json: { state: 'otp_prompt' })
+    elsif sofia_account.authenticate_otp(params[:verification_code])
+      # OTP code correct
+      sign_in(:user, user)
+      render(json: { state: 'logged_in', redirect_url: user.roles.any? ? root_path : user_path(user.id) })
+    else
+      # OTP code incorrect
+      render(json: { state: 'otp_prompt', error_message: 'Inloggen mislukt. De authenticatiecode is incorrect.' })
+    end
+  end
+
+  def failure
+    error_message = 'Inloggen mislukt.'
+    if request.env['omniauth.error.strategy'].instance_of? OmniAuth::Strategies::Identity
+      error_message << if request.env['omniauth.error.type'].to_s == 'invalid_credentials'
+                         ' De ingevulde gegevens zijn incorrect.'
+                       else
+                         ' Er is een onverwachte fout opgetreden.'
+                       end
+    end
+    render(json: { state: 'password_prompt', error_message: })
+  end
 end