Merge pull request #59 from gmmcal/improve-auth

Improve authentication. Use session instead of basic auth
gmmcal · Apr 1, 2024 · 42b54ff · 42b54ff
2 parents 84ae0a5 + 141ee77
commit 42b54ff
Show file tree

Hide file tree

Showing 13 changed files with 130 additions and 13 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -14,6 +14,8 @@ jobs:
     runs-on: "ubuntu-latest"
     permissions:
       security-events: write
+      actions: read
+      contents: read
     strategy:
       fail-fast: false
       matrix:

diff --git a/app/assets/stylesheets/form.css b/app/assets/stylesheets/form.css
@@ -0,0 +1,25 @@
+html,
+body {
+    height: 100%;
+}
+
+.form-signin {
+    max-width: 330px;
+    padding: 1rem;
+}
+
+.form-signin .form-floating:focus-within {
+    z-index: 2;
+}
+
+.form-signin input[type="email"] {
+    margin-bottom: -1px;
+    border-bottom-right-radius: 0;
+    border-bottom-left-radius: 0;
+}
+
+.form-signin input[type="password"] {
+    margin-bottom: 10px;
+    border-top-left-radius: 0;
+    border-top-right-radius: 0;
+}
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,15 +1,4 @@
 # frozen_string_literal: true
 
 class ApplicationController < ActionController::Base
-  before_action :authenticate
-
-  protected
-
-  def authenticate
-    return unless Rails.env.production?
-
-    authenticate_or_request_with_http_basic do |username, password|
-      username == ENV['USERNAME'] && password == ENV['PASSWORD']
-    end
-  end
 end
diff --git a/app/controllers/auths_controller.rb b/app/controllers/auths_controller.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class AuthsController < ApplicationController
+  def create
+    if params[:auth][:password] == password
+      session[:authenticated] = true
+      redirect_to root_path
+    else
+      session[:authenticated] = nil
+      redirect_to new_auth_path, flash: { danger: 'Invalid password' }
+    end
+  end
+
+  private
+
+  def password
+    ENV.fetch('APPLICATION_PASSWORD', 'password')
+  end
+end
diff --git a/app/controllers/report_controller.rb b/app/controllers/report_controller.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class ReportController < ApplicationController
+class ReportController < SecuredController
   before_action :report, :load_category, :year
   def index; end
 

diff --git a/app/controllers/secured_controller.rb b/app/controllers/secured_controller.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class SecuredController < ApplicationController
+  before_action :authenticate
+
+  protected
+
+  def authenticate
+    return if session[:authenticated]
+
+    redirect_to new_auth_path
+  end
+end
diff --git a/app/helpers/auths_helper.rb b/app/helpers/auths_helper.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+module AuthsHelper
+end
diff --git a/app/views/auths/_form.html.erb b/app/views/auths/_form.html.erb
@@ -0,0 +1,11 @@
+<%= form_for :auth, url: auths_path do |form| %>
+  <% flash.each do |name, msg| -%>
+    <%= content_tag :div, msg, class: 'text-bg-danger p-2 mt-2 mb-2' %>
+  <% end -%>
+
+  <div class="form-floating">
+    <%= form.text_field :password, placeholder: 'password', class: 'form-control' %>
+    <%= form.label :password %>
+  </div>
+  <%= form.submit 'Sign in', class:'btn btn-primary w-100 py-2' %>
+<% end %>
diff --git a/app/views/auths/new.html.erb b/app/views/auths/new.html.erb
@@ -0,0 +1,5 @@
+<main class="form-signin w-100 m-auto">
+  <h1 class="h3 mb-3 fw-normal">Authentication</h1>
+
+  <%= render 'form' %>
+</main>
diff --git a/app/views/layouts/auths.html.erb b/app/views/layouts/auths.html.erb
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>YNAB</title>
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+
+    <%= stylesheet_link_tag "application", "https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css", "data-turbo-track": "reload" %>
+    <%= javascript_importmap_tags %>
+  </head>
+
+  <body class="d-flex align-items-center py-4 bg-body-tertiary">
+    <%= yield %>
+  </body>
+</html>
diff --git a/config/routes.rb b/config/routes.rb
@@ -4,6 +4,8 @@
   # Define your application routes per the DSL in https://guides.rubyonrails.org/routing.html
   root 'report#index'
 
+  resources :auths, only: %i[new create]
+
   scope 'report' do
     get '/', to: 'report#all'
     get '/(:year)', to: 'report#yearly', constraints: { year: /\d*/ }

diff --git a/test/controllers/auths_controller_test.rb b/test/controllers/auths_controller_test.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class AuthsControllerTest < ActionDispatch::IntegrationTest
+  test 'should show authentication page' do
+    get new_auth_url
+    assert_response :success
+  end
+
+  test 'should authenticate and redirect to root on success' do
+    post auths_url, params: { auth: { password: 'password' } }
+
+    assert_response :redirect
+    assert_redirected_to root_url
+  end
+
+  test 'should fail authentication on failure' do
+    post auths_url, params: { auth: { password: 'something else' } }
+
+    assert_response :redirect
+    assert_redirected_to new_auth_path
+  end
+end
diff --git a/test/controllers/report_controller_test.rb b/test/controllers/report_controller_test.rb
@@ -3,7 +3,15 @@
 require 'test_helper'
 
 class ReportControllerTest < ActionDispatch::IntegrationTest
-  test 'should get index' do
+  test 'should redirect to auth when client is unauthenticated' do
+    get root_url
+    assert_response :redirect
+    assert_redirected_to new_auth_path
+  end
+
+  test 'should show report when user is logged in' do
+    post auths_url, params: { auth: { password: 'password' } }
+
     get root_url
     assert_response :success
   end