added eeid auth

Gemfile

@@ -39,6 +39,9 @@ gem 'net-smtp', require: false
 gem 'net-imap', require: false
 gem 'net-pop', require: false
 gem "apipie-rails", "~> 1.2.0"
+gem 'omniauth', '>=2.0.0'
+gem 'omniauth-rails_csrf_protection'
+gem 'omniauth-tara', github: 'internetee/omniauth-tara'
 
 # Use Rack CORS for handling Cross-Origin Resource Sharing (CORS), making cross-origin AJAX possible
 # gem 'rack-cors'

app/controllers/auth/tara_controller.rb

@@ -0,0 +1,51 @@
+# rubocop:disable Metrics
+
+module Auth
+  class TaraController < ParentController
+    allow_unauthenticated
+
+    def callback
+      expires_now
+
+      unless in_white_list?
+        flash[:alert] = I18n.t('.access_denied')
+        redirect_to sign_in_path, status: :see_other and return
+      end
+
+      session[:omniauth_hash] = user_hash.delete_if { |key, _| key == 'credentials' }
+      @user = User.from_omniauth(user_hash)
+      @user.save! && @user.reload
+
+      @app_session = create_app_session
+
+      if @app_session
+        log_in @app_session
+        set_current_session
+
+        redirect_to root_path, status: :see_other
+      else
+        flash[:alert] = I18n.t('.incorrect_details')
+        render 'dashboard/index', status: :unprocessable_entity
+      end
+    end
+
+    private
+
+    def in_white_list?
+      WhiteCode.find_by(code: user_hash['uid'].slice(2..-1)).present?
+    end
+
+    def set_current_session
+      Current.user = @user
+      flash[:notice] = I18n.t('.success')
+    end
+
+    def user_hash
+      request.env['omniauth.auth']
+    end
+
+    def create_app_session
+      @user.app_sessions.create
+    end
+  end
+end

app/controllers/concerns/authenticate.rb

@@ -0,0 +1,72 @@
+module Authenticate
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authenticate
+    before_action :need_to_login, unless: :logged_in?
+
+    helper_method :logged_in?
+    helper_method :current_user
+  end
+
+  class_methods do
+    def skip_authentication(**options)
+      skip_before_action :authenticate, options
+      skip_before_action :need_to_login, options
+    end
+
+    def allow_unauthenticated(**options)
+      skip_before_action :need_to_login, options
+    end
+  end
+
+  protected
+
+  def log_in(app_session, remember_me: false)
+    if remember_me
+      cookies.encrypted.permanent[:app_session] = {
+        value: app_session.to_h
+      }
+    else
+      cookies.signed[:app_session] = {
+        value: app_session.to_h,
+        expires: 1.day
+      }
+    end
+  end
+
+  def logout
+    Current&.app_session&.destroy
+  end
+
+  def logged_in?
+    Current.user.present?
+  end
+
+  def current_user
+    Current.user
+  end
+
+  private
+
+  def need_to_login
+    flash[:notice] = t('login_required')
+    render 'sessions/new', status: :unauthorized
+  end
+
+  def authenticate
+    cookie = cookies.encrypted[:app_session]&.with_indifferent_access
+    cookie = cookies.signed[:app_session]&.with_indifferent_access if cookie.nil?
+
+    return nil if cookie.nil?
+
+    user = User.find(cookie[:user_id])
+    app_session = user&.authenticate_session_token(cookie[:app_session], cookie[:token])
+
+    Current.user = app_session&.user
+    Current.app_session = app_session
+  rescue NoMatchingPatternError, ActiveRecord::RecordNotFound
+    Current.user = nil
+    Current.app_session = nil
+  end
+end

app/controllers/dashboard_controller.rb

@@ -1,6 +1,4 @@
 class DashboardController < ParentController
-  before_action :require_user_logged_in!
-
   def index
     @pagy, @invoices = pagy(Invoice.search(params),
                             items: params[:per_page] ||= 25,

app/controllers/dashboards/invoice_status_controller.rb

@@ -1,6 +1,4 @@
 class Dashboards::InvoiceStatusController < ParentController
-  before_action :require_user_logged_in!
-
   def update
     @invoice = Invoice.find(params[:id])
     temporary_unavailable and return unless @invoice.registry?

app/controllers/everypay_controller.rb

@@ -1,6 +1,4 @@
 class EverypayController < ParentController
-  before_action :require_user_logged_in!
-
   def index; end
 
   def everypay_data

app/controllers/invoice_details/descriptions_controller.rb

@@ -1,6 +1,4 @@
 class InvoiceDetails::DescriptionsController < ParentController
-  before_action :require_user_logged_in!
-
   def show
     @description = Invoice.find(params[:id])&.description
   end

app/controllers/invoice_details/directo_controller.rb

@@ -1,8 +1,5 @@
 class InvoiceDetails::DirectoController < ParentController
   require 'rexml/document'
-
-  before_action :require_user_logged_in!
-
   def show
     directo = Invoice.find(params[:id])
 

app/controllers/invoice_details/everypay_response_controller.rb

@@ -1,6 +1,4 @@
 class InvoiceDetails::EverypayResponseController < ParentController
-  before_action :require_user_logged_in!
-
   def show
     everypay = Invoice.find(params[:id])
     @everypay = everypay.everypay_response

app/controllers/invoice_details/payment_references_controller.rb

@@ -1,6 +1,4 @@
 class InvoiceDetails::PaymentReferencesController < ParentController
-  before_action :require_user_logged_in!
-
   def show
     @payment_reference = Invoice.find(params[:id])&.payment_reference
   end

app/controllers/parent_controller.rb

@@ -3,25 +3,14 @@ class ParentController < ActionController::Base
 
   include AbstractController::Rendering
   include ActionView::Layouts
-  # append_view_path "#{Rails.root}/app/views/layouts"
-  layout "application"
+  include Authenticate
+
+  layout 'application'
   skip_before_action :verify_authenticity_token
 
   helper_method :turbo_frame_request?
 
-  before_action :set_current_user
-
   def render_turbo_flash
     turbo_stream.update('flash', partial: 'shared/flash')
   end
-
-  def set_current_user
-    # finds user with session data and stores it if present
-    Current.user = User.find_by(id: session[:user_id]) if session[:user_id]
-  end
-
-  def require_user_logged_in!
-    # allows only logged in user
-    redirect_to sign_in_path, alert: 'You must be signed in', turbolinks: false if Current.user.nil?
-  end
 end

app/controllers/references_controller.rb

@@ -1,6 +1,4 @@
 class ReferencesController < ParentController
-  before_action :require_user_logged_in!
-
   def index
     @pagy, @references = pagy(Reference.search(params), items: params[:per_page] ||= 25,
                                                         link_extra: 'data-turbo-action="advance"')

app/controllers/sessions_controller.rb

@@ -1,19 +1,23 @@
 class SessionsController < ParentController
+  allow_unauthenticated
+
   def new; end
 
-  def create
-    user = User.find_by(email: params[:email])
-    if user.present? && user.authenticate(params[:password])
-      session[:user_id] = user.id
-      redirect_to root_path, status: :see_other, flash: { notice: 'Logged in successfully' }
-    else
-      flash.now[:alert] = 'Wrong username/password'
-      render :new, status: :unprocessable_entity
-    end
-  end
+  # def create
+  #   user = User.find_by(email: params[:email])
+  #   if user.present? && user.authenticate(params[:password])
+  #     session[:user_id] = user.id
+  #     redirect_to root_path, status: :see_other, flash: { notice: 'Logged in successfully' }
+  #   else
+  #     flash.now[:alert] = 'Wrong username/password'
+  #     render :new, status: :unprocessable_entity
+  #   end
+  # end
 
   def destroy
-    session[:user_id] = nil
-    redirect_to sign_in_path, flash: { notice: 'Logged out' }
+    logout
+
+    flash[:success] = t('.success')
+    redirect_to root_path, status: :see_other
   end
 end