Add Authentication logic

The ApplicationController provides a `current_user` method (and
helper) to access the authenticated user (if any).
The WelcomeController provides minimal logic to authenticate
against DiscourseSSO.

Current state is that one can login and logout.

Views need a lot of work.

8 files changed, 133 insertions, 1 deletions

diff --git a/app/assets/stylesheets/welcome.scss b/app/assets/stylesheets/welcome.scss
new file mode 100644
index 0000000..5042f7d
--- /dev/null
+++ b/app/assets/stylesheets/welcome.scss
@@ -0,0 +1,3 @@
+// Place all the styles related to the welcome controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: https://sass-lang.com/
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 09705d1..c34b9f9 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,2 +1,14 @@
 class ApplicationController < ActionController::Base
+  protect_from_forgery with: :null_session
+
+  require 'sso'
+
+  before_action :current_user
+
+  protected
+
+  def current_user
+    @current_user ||= User.find_by(external_id: session[:current_user]) if session[:current_user].present?
+  end
+  helper_method :current_user
 end
diff --git a/app/controllers/welcome_controller.rb b/app/controllers/welcome_controller.rb
new file mode 100644
index 0000000..ae24138
--- /dev/null
+++ b/app/controllers/welcome_controller.rb
@@ -0,0 +1,82 @@
+class WelcomeController < ApplicationController
+  # GET /
+  def index
+  end
+
+  # GET /authenticate(/:token)
+  # Discourse SSO Authentication
+  def authenticate
+    # Ensure nobody tries silly things with our session
+    if params[:token].present? && !params[:token].match?(/[a-z0-9]{32}/)
+      raise(ArgumentError, "Token invalid")
+    end
+
+    # Try an ongoing SSO or create a new one
+    @sso = SSO::FromDiscourse.new(token: params[:token], nonce: session[params[:token]])
+    # Remove any current session
+    Rails.logger.info("Removing current session (#{session[:current_user]})")
+    session.destroy
+    @current_user = nil
+
+    if params[:token].nil? # Send to authenticate
+      # Record this token and nonce in the session
+      session[@sso.token] = @sso.nonce
+      # Send to authorization
+      redirect_to @sso.request_uri and return
+    end
+
+    # Validate authentication
+    begin
+      @sso.parse(params)
+    rescue ArgumentError => e
+      return 403, e.message
+    end
+
+    case @sso.status
+    when :unauthorized
+      Rails.logger.info("Authentication failed!")
+      return 403
+    when :ok
+      Rails.logger.info("Authentication succeeded!")
+      @current_user = User.find_by(external_id: @sso.user_info[:external_id]) ||
+                      begin
+                        Rails.logger.info('new user...')
+                        u = User.create(
+                          external_id: @sso.user_info[:external_id],
+                          avatar_url: @sso.user_info[:avatar_url],
+                          email: @sso.user_info[:email],
+                          name: @sso.user_info[:name],
+                          username: @sso.user_info[:username])
+                        Rails.logger.info('created user %s' % u.inspect)
+                        u
+                      rescue Exception => e
+                        raise
+                      end
+      # Update user agents
+      # TODO: do it as a background job, it has nothing to do here.
+      @sso.user_info[:groups].split(',').each do |g|
+        a = Agent.find_by_name(g)
+        if a
+          # TODO: call Discourse and make :leader if group owner
+          # TODO: do not create the record if it exists
+          a.agencies.create(user: u, roles: 2) # make new user an editor
+          Rails.logger.info('User has Agent %s' % g)
+        end
+      end
+      session[:current_user] = @current_user[:external_id]
+    end
+
+    redirect_to '/my/dashboard'
+  end
+
+  # GET /dashboard
+  def dashboard
+    redirect_to '/authenticate' and return unless current_user.present?
+  end
+
+  # GET /logout
+  def logout
+    session.destroy
+    render :index
+  end
+end
diff --git a/app/helpers/welcome_helper.rb b/app/helpers/welcome_helper.rb
new file mode 100644
index 0000000..eeead45
--- /dev/null
+++ b/app/helpers/welcome_helper.rb
@@ -0,0 +1,2 @@
+module WelcomeHelper
+end
diff --git a/app/views/welcome/authenticate.html.erb b/app/views/welcome/authenticate.html.erb
new file mode 100644
index 0000000..548101b
--- /dev/null
+++ b/app/views/welcome/authenticate.html.erb
@@ -0,0 +1,15 @@
+<h1>Authentication#sso_callback</h1>
+
+<p>Welcome <%= @current_user&.name %>!</p>
+
+<p>Your Agents:
+    <ul>
+        <% @current_user&.agencies&.each do |a| %>
+            <li><%= a.name %> (<%= a.roles %>)</li>
+        <% end %>
+    </ul>
+</p>
+
+<%= p @current_user %>
+<%= p @sso.user_info %>
+<%= p session %>
diff --git a/app/views/welcome/dashboard.html.erb b/app/views/welcome/dashboard.html.erb
new file mode 100644
index 0000000..81264e2
--- /dev/null
+++ b/app/views/welcome/dashboard.html.erb
@@ -0,0 +1,5 @@
+<h1>Welcome <%= h current_user.name %>!</h1>
+
+<p>Current Agent: <%= current_user&.agencies&.first&.agent&.name %></p>
+
+<p>Cool, what can we do now?</p>
diff --git a/app/views/welcome/index.html.erb b/app/views/welcome/index.html.erb
new file mode 100644
index 0000000..a1fa276
--- /dev/null
+++ b/app/views/welcome/index.html.erb
@@ -0,0 +1,8 @@
+<h1>Bienvenue à l'atelier carto d'IN COMMON</h1>
+
+<% if current_user.present? %>
+    <p>Hi <%= h current_user.name %>, please <%= link_to 'proceed to your dashboard', url_for(action: 'dashboard') %>.</p>
+    <p>You may <%= link_to 'sign off', logout_url %>.</p>
+<% else %>
+    <p><%= link_to "S'identifier avec Talk.incommon.cc", '/authenticate' %></p>
+<% end %>
diff --git a/config/routes.rb b/config/routes.rb
index a2260d6..ac3e3f3 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,6 +1,11 @@
 Rails.application.routes.draw do
   # For details on the DSL available within this file, see https://guides.rubyonrails.org/routing.html
 
+  root to: 'welcome#index'
+
+  get '/my/dashboard', to: 'welcome#dashboard'
+
   # Discourse SSO
-  get 'my/account/:token', to: 'authentication#login'
+  get 'authenticate(/:token)', to: 'welcome#authenticate'
+  get 'logout', to: 'welcome#logout'
 end