From 046c210e91fc03e1c670a0a28ea4849968c77056 Mon Sep 17 00:00:00 2001
From: hellekin <hellekin@cepheide.org>
Date: Mon, 5 Oct 2020 22:10:26 +0200
Subject: Add Authentication logic

The ApplicationController provides a `current_user` method (and
helper) to access the authenticated user (if any).
The WelcomeController provides minimal logic to authenticate
against DiscourseSSO.

Current state is that one can login and logout.

Views need a lot of work.
---
 app/controllers/welcome_controller.rb | 82 +++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 app/controllers/welcome_controller.rb

(limited to 'app/controllers/welcome_controller.rb')

diff --git a/app/controllers/welcome_controller.rb b/app/controllers/welcome_controller.rb
new file mode 100644
index 0000000..ae24138
--- /dev/null
+++ b/app/controllers/welcome_controller.rb
@@ -0,0 +1,82 @@
+class WelcomeController < ApplicationController
+  # GET /
+  def index
+  end
+
+  # GET /authenticate(/:token)
+  # Discourse SSO Authentication
+  def authenticate
+    # Ensure nobody tries silly things with our session
+    if params[:token].present? && !params[:token].match?(/[a-z0-9]{32}/)
+      raise(ArgumentError, "Token invalid")
+    end
+
+    # Try an ongoing SSO or create a new one
+    @sso = SSO::FromDiscourse.new(token: params[:token], nonce: session[params[:token]])
+    # Remove any current session
+    Rails.logger.info("Removing current session (#{session[:current_user]})")
+    session.destroy
+    @current_user = nil
+
+    if params[:token].nil? # Send to authenticate
+      # Record this token and nonce in the session
+      session[@sso.token] = @sso.nonce
+      # Send to authorization
+      redirect_to @sso.request_uri and return
+    end
+
+    # Validate authentication
+    begin
+      @sso.parse(params)
+    rescue ArgumentError => e
+      return 403, e.message
+    end
+
+    case @sso.status
+    when :unauthorized
+      Rails.logger.info("Authentication failed!")
+      return 403
+    when :ok
+      Rails.logger.info("Authentication succeeded!")
+      @current_user = User.find_by(external_id: @sso.user_info[:external_id]) ||
+                      begin
+                        Rails.logger.info('new user...')
+                        u = User.create(
+                          external_id: @sso.user_info[:external_id],
+                          avatar_url: @sso.user_info[:avatar_url],
+                          email: @sso.user_info[:email],
+                          name: @sso.user_info[:name],
+                          username: @sso.user_info[:username])
+                        Rails.logger.info('created user %s' % u.inspect)
+                        u
+                      rescue Exception => e
+                        raise
+                      end
+      # Update user agents
+      # TODO: do it as a background job, it has nothing to do here.
+      @sso.user_info[:groups].split(',').each do |g|
+        a = Agent.find_by_name(g)
+        if a
+          # TODO: call Discourse and make :leader if group owner
+          # TODO: do not create the record if it exists
+          a.agencies.create(user: u, roles: 2) # make new user an editor
+          Rails.logger.info('User has Agent %s' % g)
+        end
+      end
+      session[:current_user] = @current_user[:external_id]
+    end
+
+    redirect_to '/my/dashboard'
+  end
+
+  # GET /dashboard
+  def dashboard
+    redirect_to '/authenticate' and return unless current_user.present?
+  end
+
+  # GET /logout
+  def logout
+    session.destroy
+    render :index
+  end
+end
-- 
cgit v1.2.3