slovensko-digital · mirrec · Apr 7, 2022 · Apr 7, 2022 · Apr 7, 2022 · Apr 7, 2022
diff --git a/.env.sample b/.env.sample
@@ -5,6 +5,9 @@ ADMIN_USERNAME=admin
 ADMIN_PASSWORD=admin
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
+AUTH_EID_BASE_URL=
+AUTH_EID_PUBLIC_KEY=
+AUTH_EID_PRIVATE_KEY=
 
 DEFAULT_EMAIL_FROM=navody@digital
 

diff --git a/.tool-versions b/.tool-versions
@@ -0,0 +1 @@
+ruby 2.7.5
diff --git a/Gemfile b/Gemfile
@@ -65,6 +65,7 @@ gem 'validate_url'
 # sendinblue V3
 gem 'sib-api-v3-sdk'
 gem 'recaptcha'
+gem 'jwt'
 gem 'friendly_id'
 
 group :development, :test do

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -415,6 +415,7 @@ DEPENDENCIES
   hirb
   jbuilder
   jquery-rails
+  jwt
   kaminari
   letter_opener_web
   listen

diff --git a/app/assets/images/eid-card-yellow.svg b/app/assets/images/eid-card-yellow.svg
diff --git a/app/assets/images/eid-card.svg b/app/assets/images/eid-card.svg
diff --git a/app/assets/images/eid-sk.svg b/app/assets/images/eid-sk.svg
diff --git a/app/controllers/eid/onboarding_controller.rb b/app/controllers/eid/onboarding_controller.rb
@@ -0,0 +1,11 @@
+module Eid
+  class OnboardingController < ApplicationController
+    def new
+      # TODO
+    end
+
+    def create
+      # TODO
+    end
+  end
+end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -6,10 +6,21 @@ def new
   end
 
   def create
+    if new_eid_identity?
+      session[:eid_uid] = auth_hash.uid
+      redirect_to new_eid_onboarding_path
+      return
+    end
+
     redirect_to new_session_path, alert: 'Prosím zadajte e-mail' and return unless auth_email.present?
 
     user = User.find_by('lower(email) = lower(?)', auth_email) || User.create!(email: auth_email)
 
+    if eid_identity_approval?
+      user.update!(eid_sub: auth_hash.info['eid_uid'])
+      session.delete(:eid_uid)
+    end
+
     session[:user_id] = user.id
     redirect_to after_login_redirect_path, notice: 'Prihlásenie úspešné. Vitajte!'
   end
@@ -23,10 +34,36 @@ def failure
     @strategy = params[:strategy]
   end
 
-  def destroy
+  def logout
     reset_session
 
-    redirect_to root_path, notice: 'Odhlásenie bolo úspešné.'
+    if params[:callback].present?
+      redirect_to params[:callback]
+    else
+      redirect_to root_path, notice: 'Odhlásenie bolo úspešné.'
+    end
+  end
+
+  def destroy
+    eid_encoded_token = session[:eid_encoded_token]
+    eid_token_expires_at = session[:eid_token_expires_at].present? ? Time.zone.parse(session[:eid_token_expires_at]) : nil
+
+    if eid_encoded_token.present? && eid_token_expires_at&.future?
+      eid_config = Rails.application.config_for(:auth)[:eid]
+
+      eid_encoded_token = eid_encoded_token
+      logout_url = "#{eid_config[:base_url]}/logout"
+      private_key = OpenSSL::PKey::RSA.new(eid_config[:private_key])
+      logout_token = JWT.encode({
+                                  "exp": (Time.zone.now + 5.minutes).to_i,
+                                  "jti": SecureRandom.uuid,
+                                  "obo": eid_encoded_token,
+                                }, private_key, 'RS256', { cty: 'JWT' })
+
+      redirect_to "#{logout_url}?token=#{logout_token}"
+    else
+      logout
+    end
   end
 
   protected
@@ -41,6 +78,14 @@ def auth_hash
 
   private
 
+  def new_eid_identity?
+    auth_hash.provider == "eid" && auth_hash.info['email'].blank?
+  end
+
+  def eid_identity_approval?
+    auth_hash.provider == "magiclink" && auth_hash.info['eid_uid'].present?
+  end
+
   def after_login_redirect_path
     return session[:after_login_callback] if session[:after_login_callback]&.start_with?("/") # Only allow local redirects
     root_path

diff --git a/app/views/eid/onboarding/new.html.erb b/app/views/eid/onboarding/new.html.erb
@@ -0,0 +1,26 @@
+<% content_for :title, build_page_title('Zadajte email k svojmu účtu') %>
+
+<div class="govuk-grid-row govuk-!-padding-top-9">
+  <div class="govuk-grid-column-two-thirds">
+    <span class="govuk-caption-l">Predtým, než začnete...</span>
+    <h1 class="govuk-heading-l">Budeme potrebovať váš email</h1>
+  </div>
+</div>
+<div class="govuk-grid-row">
+  <div class="govuk-grid-column-one-half">
+    <%= form_tag(auth_path(:magiclink), method: :post, id: 'login-email') do %>
+      <fieldset class="govuk-fieldset">
+        <div class="govuk-form-group">
+          <span class="govuk-label-wrapper">
+            <label class="govuk-label govuk-label--m">na ktorý budete dostávať upozornenia</label>
+          </span>
+          <span class="govuk-hint">
+            Pošleme Vám jednoduchý odkaz na overenie emailu.
+          </span>
+          <%= email_field_tag :email, nil, class: 'govuk-input', required: true %>
+        </div>
+        <%= submit_tag 'Dokončiť založenie účtu', class: 'govuk-button' %>
+      </fieldset>
+    <% end %>
+  </div>
+</div>
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
@@ -8,11 +8,19 @@
   </div>
 </div>
 <div class="govuk-grid-row">
-  <div class="govuk-grid-column-one-half">
-    <%= form_tag(auth_path(:google_oauth2), method: :post, class: 'govuk-body govuk-!-margin-bottom-8') do %>
+  <div class="govuk-grid-column-one-quarter govuk-!-margin-bottom-8">
+    <%= form_tag(auth_path(:google_oauth2), method: :post) do %>
       <%= image_submit_tag 'google/btn_google_signin_dark_normal.svg', class: 'govuk-link', title: 'Prihlásiť sa cez Google', alt: 'Prihlásiť sa cez Google', style: 'max-width: 300px' %>
     <% end %>
-
+  </div>
+  <div class="govuk-grid-column-one-quarter govuk-!-margin-bottom-8">
+    <%= form_tag(auth_path(:eid), method: :post, id: 'login-eid') do %>
+      <%= image_submit_tag 'eid-sk.svg', class: 'govuk-link', title: 'Prihlásiť sa cez EID', alt: 'Prihlásiť sa cez EID', style: 'max-width: 300px' %>
+    <% end %>
+  </div>
+</div>
+<div class="govuk-grid-row">
+  <div class="govuk-grid-column-one-half">
     <%= form_tag(auth_path(:magiclink), method: :post, id: 'login-email') do %>
       <fieldset class="govuk-fieldset">
         <div class="govuk-form-group">

diff --git a/config/auth.yml b/config/auth.yml
@@ -6,6 +6,11 @@ default: &default
   sendinblue:
     api_key: <%= ENV.fetch('SENDINBLUE_API_KEY', nil) %>
 
+  eid:
+    base_url: <%= ENV.fetch('AUTH_EID_BASE_URL', nil) %>
+    public_key: <%= ENV.fetch('AUTH_EID_PUBLIC_KEY', nil).inspect %>
+    private_key: <%= ENV.fetch('AUTH_EID_PRIVATE_KEY', nil).inspect %>
+
 development:
   <<: *default
 

diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
@@ -1,4 +1,6 @@
 require 'omniauth/strategies/magic_link'
+require 'omniauth/strategies/eid'
+
 OmniAuth.config.logger = Rails.logger
 OmniAuth.config.failure_raise_out_environments = []
 
@@ -12,5 +14,9 @@
       UserMailer.with(email: email, token: token).magic_link.deliver_later
     }
   }
+  provider :eid, {
+    base_url: Rails.application.config_for(:auth).dig(:eid, :base_url),
+    public_key: Rails.application.config_for(:auth).dig(:eid, :public_key),
+  }
 end
 
diff --git a/config/puma.rb b/config/puma.rb
@@ -4,7 +4,7 @@
 # the maximum value specified for Puma. Default is set to 5 threads for minimum
 # and maximum; this matches the default thread size of Active Record.
 #
-max_threads_count = ENV.fetch("RAILS_MAX_THREADS") { 5 }
+max_threads_count = ENV.fetch("RAILS_MAX_THREADS") { 1 }
 min_threads_count = ENV.fetch("RAILS_MIN_THREADS") { max_threads_count }
 threads min_threads_count, max_threads_count
 

diff --git a/config/routes.rb b/config/routes.rb
@@ -105,6 +105,12 @@
   get '/auth/:provider/callback', to: 'sessions#create', as: :auth_callback
   post '/auth/:provider', to: lambda { |_| [404, {}, ["Not Found"]] }, as: :auth
 
+  get 'login', to: 'sessions#create', as: :eid_auth_callback  # TODO: add constraint for origin check
+  get 'logout', to: 'sessions#logout', as: :eid_deauth_callback  # TODO: add constraint for origin check
+  namespace :eid do
+    resources :onboarding, only: [:new, :create]
+  end
+
   resources :faqs, path: 'casto-kladene-otazky'
   resources :pages, path: '', only: 'show'
   resources :feedbacks, path: 'spatna-vazba'

diff --git a/db/migrate/20220407131258_add_eid_sub_to_users.rb b/db/migrate/20220407131258_add_eid_sub_to_users.rb
@@ -0,0 +1,6 @@
+class AddEidSubToUsers < ActiveRecord::Migration[6.1]
+  def change
+    add_column :users, :eid_sub, :string, null: true
+    add_index :users, :eid_sub
+  end
+end
diff --git a/db/structure.sql b/db/structure.sql
@@ -871,7 +871,8 @@ CREATE TABLE public.users (
     id bigint NOT NULL,
     email text NOT NULL,
     created_at timestamp without time zone NOT NULL,
-    updated_at timestamp without time zone NOT NULL
+    updated_at timestamp without time zone NOT NULL,
+    eid_sub character varying
 );
 
 
@@ -1378,6 +1379,13 @@ CREATE INDEX index_user_tasks_on_task_id ON public.user_tasks USING btree (task_
 CREATE INDEX index_user_tasks_on_user_step_id ON public.user_tasks USING btree (user_step_id);
 
 
+--
+-- Name: index_users_on_eid_sub; Type: INDEX; Schema: public; Owner: -
+--
+
+CREATE INDEX index_users_on_eid_sub ON public.users USING btree (eid_sub);
+
+
 --
 -- Name: index_users_on_email; Type: INDEX; Schema: public; Owner: -
 --
@@ -1633,6 +1641,7 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('20210321172132'),
 ('20210321181737'),
 ('20220322180237'),
-('20220323214831');
+('20220323214831'),
+('20220407131258');