split login and trusted_device logic
This commit is contained in:
parent
aebd3ff670
commit
bee9a108c5
6 changed files with 143 additions and 82 deletions
|
@ -1,4 +1,6 @@
|
||||||
class ApplicationController < ActionController::Base
|
class ApplicationController < ActionController::Base
|
||||||
|
include TrustedDeviceConcern
|
||||||
|
|
||||||
MAINTENANCE_MESSAGE = 'Le site est actuellement en maintenance. Il sera à nouveau disponible dans un court instant.'
|
MAINTENANCE_MESSAGE = 'Le site est actuellement en maintenance. Il sera à nouveau disponible dans un court instant.'
|
||||||
|
|
||||||
# Prevent CSRF attacks by raising an exception.
|
# Prevent CSRF attacks by raising an exception.
|
||||||
|
@ -6,6 +8,7 @@ class ApplicationController < ActionController::Base
|
||||||
protect_from_forgery with: :exception, if: -> { !Rails.env.test? }
|
protect_from_forgery with: :exception, if: -> { !Rails.env.test? }
|
||||||
before_action :load_navbar_left_pannel_partial_url
|
before_action :load_navbar_left_pannel_partial_url
|
||||||
before_action :set_raven_context
|
before_action :set_raven_context
|
||||||
|
before_action :redirect_if_untrusted
|
||||||
before_action :authorize_request_for_profiler
|
before_action :authorize_request_for_profiler
|
||||||
before_action :reject, if: -> { Flipflop.maintenance_mode? }
|
before_action :reject, if: -> { Flipflop.maintenance_mode? }
|
||||||
|
|
||||||
|
@ -151,4 +154,30 @@ class ApplicationController < ActionController::Base
|
||||||
redirect_to root_path
|
redirect_to root_path
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def redirect_if_untrusted
|
||||||
|
if gestionnaire_signed_in? &&
|
||||||
|
sensitive_path &&
|
||||||
|
current_gestionnaire.feature_enabled?(:enable_email_login_token) &&
|
||||||
|
!trusted_device?
|
||||||
|
|
||||||
|
send_login_token_or_bufferize(current_gestionnaire)
|
||||||
|
redirect_to link_sent_path(email: current_gestionnaire.email)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def sensitive_path
|
||||||
|
path = request.path_info
|
||||||
|
|
||||||
|
if path == '/' ||
|
||||||
|
path == '/users/sign_out' ||
|
||||||
|
path.start_with?('/connexion-par-jeton') ||
|
||||||
|
path.start_with?('/api/') ||
|
||||||
|
path.start_with?('/lien-envoye')
|
||||||
|
|
||||||
|
false
|
||||||
|
else
|
||||||
|
true
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -23,20 +23,7 @@ class Users::SessionsController < Sessions::SessionsController
|
||||||
current_user.update(loged_in_with_france_connect: nil)
|
current_user.update(loged_in_with_france_connect: nil)
|
||||||
end
|
end
|
||||||
|
|
||||||
if gestionnaire_signed_in?
|
if gestionnaire_signed_in? || user_signed_in?
|
||||||
if trusted_device? || !current_gestionnaire.feature_enabled?(:enable_email_login_token)
|
|
||||||
set_flash_message :notice, :signed_in
|
|
||||||
redirect_to after_sign_in_path_for(:user)
|
|
||||||
else
|
|
||||||
gestionnaire = current_gestionnaire
|
|
||||||
|
|
||||||
send_login_token_or_bufferize(gestionnaire)
|
|
||||||
|
|
||||||
[:user, :gestionnaire, :administrateur].each { |role| sign_out(role) }
|
|
||||||
|
|
||||||
redirect_to link_sent_path(email: gestionnaire.email)
|
|
||||||
end
|
|
||||||
elsif user_signed_in?
|
|
||||||
set_flash_message :notice, :signed_in
|
set_flash_message :notice, :signed_in
|
||||||
redirect_to after_sign_in_path_for(:user)
|
redirect_to after_sign_in_path_for(:user)
|
||||||
else
|
else
|
||||||
|
@ -87,28 +74,24 @@ class Users::SessionsController < Sessions::SessionsController
|
||||||
trust_device
|
trust_device
|
||||||
flash.notice = "Merci d’avoir confirmé votre connexion. Votre navigateur est maintenant authentifié pour #{TRUSTED_DEVICE_PERIOD.to_i / ActiveSupport::Duration::SECONDS_PER_DAY} jours."
|
flash.notice = "Merci d’avoir confirmé votre connexion. Votre navigateur est maintenant authentifié pour #{TRUSTED_DEVICE_PERIOD.to_i / ActiveSupport::Duration::SECONDS_PER_DAY} jours."
|
||||||
|
|
||||||
user = User.find_by(email: gestionnaire.email)
|
|
||||||
administrateur = Administrateur.find_by(email: gestionnaire.email)
|
|
||||||
[user, gestionnaire, administrateur].compact.each { |resource| sign_in(resource) }
|
|
||||||
|
|
||||||
# redirect to procedure'url if stored by store_location_for(:user) in dossiers_controller
|
# redirect to procedure'url if stored by store_location_for(:user) in dossiers_controller
|
||||||
# redirect to root_path otherwise
|
# redirect to root_path otherwise
|
||||||
|
|
||||||
|
if gestionnaire_signed_in?
|
||||||
redirect_to after_sign_in_path_for(:user)
|
redirect_to after_sign_in_path_for(:user)
|
||||||
else
|
else
|
||||||
flash[:alert] = 'Votre lien est invalide ou expiré, veuillez-vous reconnecter.'
|
|
||||||
redirect_to new_user_session_path
|
redirect_to new_user_session_path
|
||||||
end
|
end
|
||||||
|
else
|
||||||
|
flash[:alert] = 'Votre lien est invalide ou expiré, un nouveau vient de vous être envoyé.'
|
||||||
|
|
||||||
|
send_login_token_or_bufferize(gestionnaire)
|
||||||
|
redirect_to link_sent_path(email: gestionnaire.email)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def send_login_token_or_bufferize(gestionnaire)
|
|
||||||
if !gestionnaire.young_login_token?
|
|
||||||
login_token = gestionnaire.login_token!
|
|
||||||
GestionnaireMailer.send_login_token(gestionnaire, login_token).deliver_later
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def try_to_authenticate(klass, remember_me = false)
|
def try_to_authenticate(klass, remember_me = false)
|
||||||
resource = klass.find_for_database_authentication(email: params[:user][:email])
|
resource = klass.find_for_database_authentication(email: params[:user][:email])
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,13 @@ module TrustedDeviceConcern
|
||||||
(Time.zone.now - TRUSTED_DEVICE_PERIOD) < trusted_device_cookie_created_at
|
(Time.zone.now - TRUSTED_DEVICE_PERIOD) < trusted_device_cookie_created_at
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def send_login_token_or_bufferize(gestionnaire)
|
||||||
|
if !gestionnaire.young_login_token?
|
||||||
|
login_token = gestionnaire.login_token!
|
||||||
|
GestionnaireMailer.send_login_token(gestionnaire, login_token).deliver_later
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def trusted_device_cookie_created_at
|
def trusted_device_cookie_created_at
|
||||||
|
|
|
@ -9,6 +9,7 @@ describe ApplicationController, type: :controller do
|
||||||
.map(&:filter)
|
.map(&:filter)
|
||||||
|
|
||||||
expect(before_actions).to include(:set_raven_context)
|
expect(before_actions).to include(:set_raven_context)
|
||||||
|
expect(before_actions).to include(:redirect_if_untrusted)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -145,4 +146,54 @@ describe ApplicationController, type: :controller do
|
||||||
it { expect(flash[:alert]).to eq(ApplicationController::MAINTENANCE_MESSAGE) }
|
it { expect(flash[:alert]).to eq(ApplicationController::MAINTENANCE_MESSAGE) }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe '#redirect_if_unstrusted' do
|
||||||
|
let(:current_gestionnaire) { create(:gestionnaire) }
|
||||||
|
|
||||||
|
before do
|
||||||
|
allow(current_gestionnaire).to receive(:feature_enabled?).and_return(feature_enabled)
|
||||||
|
allow(@controller).to receive(:current_gestionnaire).and_return(current_gestionnaire)
|
||||||
|
|
||||||
|
allow(@controller).to receive(:redirect_to)
|
||||||
|
allow(@controller).to receive(:trusted_device?).and_return(trusted_device)
|
||||||
|
allow(@controller).to receive(:gestionnaire_signed_in?).and_return(gestionnaire_signed_in)
|
||||||
|
allow(@controller).to receive(:sensitive_path).and_return(sensitive_path)
|
||||||
|
allow(@controller).to receive(:send_login_token_or_bufferize)
|
||||||
|
end
|
||||||
|
|
||||||
|
subject { @controller.send(:redirect_if_untrusted) }
|
||||||
|
|
||||||
|
context 'when the path is sensitive' do
|
||||||
|
let(:sensitive_path) { true }
|
||||||
|
|
||||||
|
context 'when the gestionnaire is signed_in' do
|
||||||
|
let(:gestionnaire_signed_in) { true }
|
||||||
|
|
||||||
|
context 'when the feature is activated' do
|
||||||
|
let(:feature_enabled) { true }
|
||||||
|
|
||||||
|
context 'when the device is trusted' do
|
||||||
|
let(:trusted_device) { true }
|
||||||
|
|
||||||
|
before { subject }
|
||||||
|
|
||||||
|
it { expect(@controller).not_to have_received(:redirect_to) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the feature is activated' do
|
||||||
|
let(:feature_enabled) { true }
|
||||||
|
|
||||||
|
context 'when the device is not trusted' do
|
||||||
|
let(:trusted_device) { false }
|
||||||
|
|
||||||
|
before { subject }
|
||||||
|
|
||||||
|
it { expect(@controller).to have_received(:redirect_to) }
|
||||||
|
it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -40,6 +40,7 @@ describe Sessions::SessionsController, type: :controller do
|
||||||
@request.env["devise.mapping"] = Devise.mappings[:gestionnaire]
|
@request.env["devise.mapping"] = Devise.mappings[:gestionnaire]
|
||||||
|
|
||||||
allow_any_instance_of(described_class).to receive(:gestionnaire_signed_in?).and_return(true)
|
allow_any_instance_of(described_class).to receive(:gestionnaire_signed_in?).and_return(true)
|
||||||
|
allow_any_instance_of(described_class).to receive(:current_gestionnaire).and_return(gestionnaire)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'calls sign out for gestionnaire' do
|
it 'calls sign out for gestionnaire' do
|
||||||
|
|
|
@ -28,31 +28,15 @@ describe Users::SessionsController, type: :controller do
|
||||||
context 'when the device is not trusted' do
|
context 'when the device is not trusted' do
|
||||||
let(:trusted_device) { false }
|
let(:trusted_device) { false }
|
||||||
|
|
||||||
it 'redirects to the confirmation link path' do
|
it 'redirects to the root path' do
|
||||||
subject
|
subject
|
||||||
|
|
||||||
expect(controller).to redirect_to link_sent_path(email: email)
|
expect(controller).to redirect_to(root_path)
|
||||||
|
|
||||||
# do not know why, should be test related
|
|
||||||
expect(controller.current_user).to eq(user)
|
expect(controller.current_user).to eq(user)
|
||||||
|
expect(controller.current_gestionnaire).to eq(gestionnaire)
|
||||||
expect(controller.current_gestionnaire).to be(nil)
|
expect(controller.current_administrateur).to eq(administrateur)
|
||||||
expect(controller.current_administrateur).to be(nil)
|
expect(user.loged_in_with_france_connect).to eq(nil)
|
||||||
expect(user.loged_in_with_france_connect).to be(nil)
|
|
||||||
expect(GestionnaireMailer).to have_received(:send_login_token)
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'and the user try to connect multiple times in a short period' do
|
|
||||||
before do
|
|
||||||
allow_any_instance_of(Gestionnaire).to receive(:young_login_token?).and_return(true)
|
|
||||||
allow(GestionnaireMailer).to receive(:send_login_token)
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'does not renew nor send a new login token' do
|
|
||||||
subject
|
|
||||||
|
|
||||||
expect(GestionnaireMailer).not_to have_received(:send_login_token)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -69,7 +53,6 @@ describe Users::SessionsController, type: :controller do
|
||||||
expect(controller.current_gestionnaire).to eq(gestionnaire)
|
expect(controller.current_gestionnaire).to eq(gestionnaire)
|
||||||
expect(controller.current_administrateur).to eq(administrateur)
|
expect(controller.current_administrateur).to eq(administrateur)
|
||||||
expect(user.loged_in_with_france_connect).to be(nil)
|
expect(user.loged_in_with_france_connect).to be(nil)
|
||||||
expect(GestionnaireMailer).not_to have_received(:send_login_token)
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -193,16 +176,42 @@ describe Users::SessionsController, type: :controller do
|
||||||
context 'when the gestionnaire has non other account' do
|
context 'when the gestionnaire has non other account' do
|
||||||
let(:gestionnaire) { create(:gestionnaire) }
|
let(:gestionnaire) { create(:gestionnaire) }
|
||||||
let!(:good_jeton) { gestionnaire.login_token! }
|
let!(:good_jeton) { gestionnaire.login_token! }
|
||||||
|
let(:logged) { false }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
|
if logged
|
||||||
|
sign_in gestionnaire
|
||||||
|
end
|
||||||
allow(controller).to receive(:trust_device)
|
allow(controller).to receive(:trust_device)
|
||||||
|
allow(controller).to receive(:send_login_token_or_bufferize)
|
||||||
post :sign_in_by_link, params: { id: gestionnaire.id, jeton: jeton }
|
post :sign_in_by_link, params: { id: gestionnaire.id, jeton: jeton }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when the gestionnaire is not logged in' do
|
||||||
|
context 'when the token is valid' do
|
||||||
|
let(:jeton) { good_jeton }
|
||||||
|
|
||||||
|
it { is_expected.to redirect_to new_user_session_path }
|
||||||
|
it { expect(controller.current_gestionnaire).to be_nil }
|
||||||
|
it { expect(controller).to have_received(:trust_device) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the token is invalid' do
|
||||||
|
let(:jeton) { 'invalid_token' }
|
||||||
|
|
||||||
|
it { is_expected.to redirect_to link_sent_path(email: gestionnaire.email) }
|
||||||
|
it { expect(controller.current_gestionnaire).to be_nil }
|
||||||
|
it { expect(controller).not_to have_received(:trust_device) }
|
||||||
|
it { expect(controller).to have_received(:send_login_token_or_bufferize) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the gestionnaire is logged in' do
|
||||||
|
let(:logged) { true }
|
||||||
|
|
||||||
context 'when the token is valid' do
|
context 'when the token is valid' do
|
||||||
let(:jeton) { good_jeton }
|
let(:jeton) { good_jeton }
|
||||||
|
|
||||||
# TODO when the gestionnaire has no other account, and the token is valid, and the user signing in was not starting a demarche,
|
|
||||||
# redirect to root_path, then redirect to gestionnaire_procedures_path (see root_controller)
|
# redirect to root_path, then redirect to gestionnaire_procedures_path (see root_controller)
|
||||||
it { is_expected.to redirect_to root_path }
|
it { is_expected.to redirect_to root_path }
|
||||||
it { expect(controller.current_gestionnaire).to eq(gestionnaire) }
|
it { expect(controller.current_gestionnaire).to eq(gestionnaire) }
|
||||||
|
@ -212,30 +221,11 @@ describe Users::SessionsController, type: :controller do
|
||||||
context 'when the token is invalid' do
|
context 'when the token is invalid' do
|
||||||
let(:jeton) { 'invalid_token' }
|
let(:jeton) { 'invalid_token' }
|
||||||
|
|
||||||
it { is_expected.to redirect_to new_user_session_path }
|
it { is_expected.to redirect_to link_sent_path(email: gestionnaire.email) }
|
||||||
it { expect(controller.current_gestionnaire).to be_nil }
|
|
||||||
it { expect(controller).not_to have_received(:trust_device) }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'when the gestionnaire has an user and admin account' do
|
|
||||||
let(:email) { 'unique@plop.com' }
|
|
||||||
let(:password) { 'un super mot de passe' }
|
|
||||||
|
|
||||||
let!(:user) { create(:user, email: email, password: password) }
|
|
||||||
let!(:administrateur) { create(:administrateur, email: email, password: password) }
|
|
||||||
let(:gestionnaire) { administrateur.gestionnaire }
|
|
||||||
|
|
||||||
before do
|
|
||||||
post :sign_in_by_link, params: { id: gestionnaire.id, jeton: jeton }
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'when the token is valid' do
|
|
||||||
let(:jeton) { gestionnaire.login_token! }
|
|
||||||
|
|
||||||
it { expect(controller.current_gestionnaire).to eq(gestionnaire) }
|
it { expect(controller.current_gestionnaire).to eq(gestionnaire) }
|
||||||
it { expect(controller.current_administrateur).to eq(administrateur) }
|
it { expect(controller).not_to have_received(:trust_device) }
|
||||||
it { expect(controller.current_user).to eq(user) }
|
it { expect(controller).to have_received(:send_login_token_or_bufferize) }
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -250,7 +240,7 @@ describe Users::SessionsController, type: :controller do
|
||||||
context 'when the cookie is outdated' do
|
context 'when the cookie is outdated' do
|
||||||
before do
|
before do
|
||||||
Timecop.freeze(Time.zone.now - TrustedDeviceConcern::TRUSTED_DEVICE_PERIOD - 1.minute)
|
Timecop.freeze(Time.zone.now - TrustedDeviceConcern::TRUSTED_DEVICE_PERIOD - 1.minute)
|
||||||
controller.trust_device
|
controller.trust_device(Time.zone.now)
|
||||||
Timecop.return
|
Timecop.return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -258,7 +248,7 @@ describe Users::SessionsController, type: :controller do
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when the cookie is ok' do
|
context 'when the cookie is ok' do
|
||||||
before { controller.trust_device }
|
before { controller.trust_device(Time.zone.now) }
|
||||||
|
|
||||||
it { is_expected.to be true }
|
it { is_expected.to be true }
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue