diff --git a/Gemfile b/Gemfile
index 661419ff..10d143b9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -46,6 +46,8 @@ gem 'omniauth'
gem 'omniauth-google-oauth2'
gem 'omniauth-rails_csrf_protection'
+gem 'altcha-rails'
+
gem 'pry-rails'
gem 'aws-sdk-rails'
diff --git a/Gemfile.lock b/Gemfile.lock
index dbcd617e..a6aae8cd 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -62,6 +62,7 @@ GEM
zeitwerk (~> 2.3)
addressable (2.8.5)
public_suffix (>= 2.0.2, < 6.0)
+ altcha-rails (0.0.5)
aws-eventstream (1.2.0)
aws-partitions (1.734.0)
aws-record (2.10.1)
@@ -460,6 +461,7 @@ PLATFORMS
ruby
DEPENDENCIES
+ altcha-rails
aws-sdk-cloudwatch
aws-sdk-rails
aws-sdk-s3
diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js
index a870b1ef..64e522b3 100644
--- a/app/assets/javascripts/application.js
+++ b/app/assets/javascripts/application.js
@@ -15,7 +15,6 @@
//= require activestorage
//= require turbolinks
//= require cookieconsent.min
-//= require newsletter_sign_up
//= require jscookie
$(document).on("turbolinks:load", function () {
diff --git a/app/assets/javascripts/newsletter_sign_up.js b/app/assets/javascripts/newsletter_sign_up.js
deleted file mode 100644
index dda5cfb3..00000000
--- a/app/assets/javascripts/newsletter_sign_up.js
+++ /dev/null
@@ -1,42 +0,0 @@
-$(document).on('turbolinks:load', function () {
- $('#newsletter-form').submit(function (evt) {
- evt.preventDefault();
-
- var form = $(evt.target);
- var data = form.serialize();
- var button = form.find('button')[0];
- button.innerHTML = 'Prihlasujem...';
-
- $.ajax({
- type: 'POST',
- url: form.data('action'),
- data: data,
- dataType: 'json',
- success: function (data) {
- if (data.result !== undefined) {
- if (data.result.result === 'success') {
- form.remove();
- $('#newsletter-success').show();
- if ($('#newsletter-warning').is(':visible')) {
- $('#newsletter-warning').hide();
- }
- } else {
- var warningText = null;
- if (data.result.result === 'emailExist') {
- warningText = data.result.exist_err_msg;
- } else if (data.result.result === 'invalidEmail') {
- warningText = data.result.invalid_err_msg;
- } else {
- warningText = 'Prihlásenie do newslettera sa nepodarilo. Prosím skúste znova.'
- }
- $('#newsletter-warning').show();
- $('#newsletter-warning strong').text(warningText);
- }
- }
- },
- complete: function () {
- button.innerHTML = 'Prihlásiť'
- }
- });
- });
-});
diff --git a/app/controllers/altcha_controller.rb b/app/controllers/altcha_controller.rb
new file mode 100644
index 00000000..cd31d3a2
--- /dev/null
+++ b/app/controllers/altcha_controller.rb
@@ -0,0 +1,5 @@
+class AltchaController < ApplicationController
+ def new
+ render json: Altcha::Challenge.create.to_json
+ end
+end
diff --git a/app/controllers/newsletter_subscriptions_controller.rb b/app/controllers/newsletter_subscriptions_controller.rb
new file mode 100644
index 00000000..3f06c788
--- /dev/null
+++ b/app/controllers/newsletter_subscriptions_controller.rb
@@ -0,0 +1,22 @@
+class NewsletterSubscriptionsController < ApplicationController
+
+ def subscribe
+ email, altcha = subscription_params
+ if AltchaSolution.verify_and_save(altcha)
+ SubscribeToNewsletterJob.perform_later(email, 'NewsletterSubscription')
+ respond_to do |format|
+ format.js { render :success}
+ end
+ else
+ respond_to do |format|
+ format.js { render :altcha_failure, status: :unprocessable_entity}
+ end
+ end
+ end
+
+ private
+
+ def subscription_params
+ params.require([:email, :altcha])
+ end
+end
diff --git a/app/controllers/notification_subscriptions_controller.rb b/app/controllers/notification_subscriptions_controller.rb
index 42da9231..f8d845da 100644
--- a/app/controllers/notification_subscriptions_controller.rb
+++ b/app/controllers/notification_subscriptions_controller.rb
@@ -7,17 +7,22 @@ def index
def create
@group = NotificationSubscriptionGroup.new(notification_group_params.except(:more))
- @group.user = current_user
- @group.journey = Journey.find(params[:notification_subscription_group][:journey_id]) if params[:notification_subscription_group][:journey_id].present?
-
- respond_to do |format|
- if @group.save
- format.html { redirect_to root_path }
- format.js
- else
- format.js { render :new }
+ if AltchaSolution.verify_and_save(params.permit(:altcha)[:altcha])
+ @group.user = current_user
+ @group.journey = Journey.find(params[:notification_subscription_group][:journey_id]) if params[:notification_subscription_group][:journey_id].present?
+ respond_to do |format|
+ if @group.save
+ format.js
+ else
+ format.js { render :new }
+ end
+ end
+ else
+ respond_to do |format|
+ format.js { render :failure, status: :unprocessable_entity}
end
end
+
end
def confirm
diff --git a/app/models/altcha_solution.rb b/app/models/altcha_solution.rb
new file mode 100644
index 00000000..5f6143c1
--- /dev/null
+++ b/app/models/altcha_solution.rb
@@ -0,0 +1,28 @@
+class AltchaSolution < ApplicationRecord
+ validates :algorithm, :challenge, :salt, :signature, :number, presence: true
+ attr_accessor :took
+
+ def self.verify_and_save(base64encoded)
+ p = JSON.parse(Base64.decode64(base64encoded)) rescue nil
+ return false if p.nil?
+
+ submission = Altcha::Submission.new(p)
+ return false unless submission.valid?
+
+ solution = self.new(p)
+
+ begin
+ return solution.save
+ rescue ActiveRecord::RecordNotUnique
+ # Replay attack
+ return false
+ end
+ end
+
+ def self.cleanup
+ # Replay attacks are protected by the time stamp in the salt of the challenge for
+ # the duration configured in the timeout. All solutions in the database that older
+ # can be deleted.
+ AltchaSolution.where('created_at < ?', Time.now - Altcha.timeout).delete_all
+ end
+end
diff --git a/app/views/components/_footer.html.erb b/app/views/components/_footer.html.erb
index fa0f92c5..ea5ed53b 100644
--- a/app/views/components/_footer.html.erb
+++ b/app/views/components/_footer.html.erb
@@ -5,7 +5,7 @@
(raz mesačne)
- Na Váš e-mail sme poslali potvrdzovaciu správu.
+ Na Váš e-mail sme poslali potvrdzovaciu správu. Ak nechodí, skúste to znova.
Ďakujeme za Váš záujem.
@@ -15,16 +15,7 @@
-
+ <%= render 'newsletter_subscriptions/form' %>
Prihlásením dávam dobrovoľný súhlas OZ Slovensko.Digital na zasielanie bezplatného newslettera na mnou zadaný e-mail. Tento súhlas môžem kdykoľvek odvolať na <%= mail_to ENV['DEFAULT_EMAIL_FROM'], ENV['DEFAULT_EMAIL_FROM'], class: 'sdn-footer__link' %>. Oboznámil(a) som sa s informáciami v sekcii <%= link_to 'Ochrana osobných údajov', page_path('ochrana-osobnych-udajov'), class: 'sdn-footer__link' %>.
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 703f7e93..c44cc2bb 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -21,6 +21,7 @@
<%= stylesheet_link_tag 'application', media: 'all', 'data-turbolinks-track': 'reload' %>
<%= javascript_include_tag 'application', 'data-turbolinks-track': 'reload' %>
+
diff --git a/app/views/newsletter_subscriptions/_form.html.erb b/app/views/newsletter_subscriptions/_form.html.erb
new file mode 100644
index 00000000..0036e564
--- /dev/null
+++ b/app/views/newsletter_subscriptions/_form.html.erb
@@ -0,0 +1,6 @@
+<%= form_tag newsletter_subscribe_path, method: :post, remote: true, id: "newsletter-form" do |f| %>
+ <%= email_field_tag :email, '', class: 'govuk-input sdn-footer__newsletter-input', placeholder: "Zadajte emailovú adresu", autocomplete: :email %>
+ <%= submit_tag 'Prihlásiť', class: 'govuk-button sdn-footer__newsletter-button' %>
+
+
+<% end %>
diff --git a/app/views/newsletter_subscriptions/failure.js.erb b/app/views/newsletter_subscriptions/failure.js.erb
new file mode 100644
index 00000000..c3fb0d88
--- /dev/null
+++ b/app/views/newsletter_subscriptions/failure.js.erb
@@ -0,0 +1,2 @@
+$('#newsletter-form').replaceWith('<%=j render partial: 'newsletter_subscriptions/form', object: @group %>');
+$('.newsletter-altcha-error').html('Nie sme si isti, či nie ste robot... zaškrtli ste, že nie ste?');
diff --git a/app/views/newsletter_subscriptions/success.js.erb b/app/views/newsletter_subscriptions/success.js.erb
new file mode 100644
index 00000000..034537f9
--- /dev/null
+++ b/app/views/newsletter_subscriptions/success.js.erb
@@ -0,0 +1,4 @@
+$('#newsletter-success').show();
+if ($('#newsletter-warning').is(':visible')) {
+ $('#newsletter-warning').hide();
+}
diff --git a/app/views/notification_subscriptions/_form.html.erb b/app/views/notification_subscriptions/_form.html.erb
index 76ca9e44..59dcd322 100644
--- a/app/views/notification_subscriptions/_form.html.erb
+++ b/app/views/notification_subscriptions/_form.html.erb
@@ -43,6 +43,8 @@
<% if !form.journey.nil? and form.journey.blank? %>
<%= hidden_field_tag 'notification_subscription_group[journey_id]', form.journey.id %>
<% end %>
+
+
<%= submit_tag 'Chcem dostávať tieto notifikácie', class: 'govuk-button' %>
diff --git a/app/views/notification_subscriptions/failure.js.erb b/app/views/notification_subscriptions/failure.js.erb
new file mode 100644
index 00000000..c999c561
--- /dev/null
+++ b/app/views/notification_subscriptions/failure.js.erb
@@ -0,0 +1,2 @@
+$('#new_subscription_notification_group').replaceWith('<%=j render partial: 'form', object: @group %>');
+$('.altcha-error').html('Nie sme si isti, či nie ste robot... zaškrtli ste, že nie ste?');
diff --git a/config/initializers/altcha.rb b/config/initializers/altcha.rb
new file mode 100644
index 00000000..1b746da0
--- /dev/null
+++ b/config/initializers/altcha.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Altcha.setup do |config|
+ config.algorithm = 'SHA-256'
+ config.num_range = (50_000..51_000)
+ config.timeout = 5.minutes
+ config.hmac_key = 'dfa06d467a84fea13941f1c52c38c6458a67617a'
+end
diff --git a/config/routes.rb b/config/routes.rb
index cf99a807..6cc5a3e3 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,5 +1,6 @@
Rails.application.routes.draw do
+ get '/altcha', to: 'altcha#new'
get :health, to: 'health#index'
get 'robots.:format', to: 'robots#index'
@@ -166,6 +167,8 @@
get :confirm, on: :member, path: 'potvrdit'
end
+ post 'newsletter/subscribe', to: 'newsletter_subscriptions#subscribe', as: :newsletter_subscribe
+
resource :session, only: [:new, :create, :destroy]
get '/auth/magiclink/info', to: 'sessions#magic_link_info'
get '/auth/failure', to: 'sessions#failure'
diff --git a/db/migrate/20240427082705_create_altcha_solutions.rb b/db/migrate/20240427082705_create_altcha_solutions.rb
new file mode 100644
index 00000000..5ddc7726
--- /dev/null
+++ b/db/migrate/20240427082705_create_altcha_solutions.rb
@@ -0,0 +1,15 @@
+class CreateAltchaSolutions < ActiveRecord::Migration[6.1]
+ def change
+ create_table(:altcha_solutions) do |t|
+ t.string :algorithm
+ t.string :challenge
+ t.string :salt
+ t.string :signature
+ t.integer :number
+
+ t.timestamps
+ end
+
+ add_index :altcha_solutions, [ :algorithm, :challenge, :salt, :signature, :number ], unique: true, name: 'index_altcha_solutions'
+ end
+end
diff --git a/db/structure.sql b/db/structure.sql
index 0010d3d2..a8637e3c 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -467,6 +467,41 @@ CREATE SEQUENCE public.active_storage_variant_records_id_seq
ALTER SEQUENCE public.active_storage_variant_records_id_seq OWNED BY public.active_storage_variant_records.id;
+--
+-- Name: altcha_solutions; Type: TABLE; Schema: public; Owner: -
+--
+
+CREATE TABLE public.altcha_solutions (
+ id bigint NOT NULL,
+ algorithm character varying,
+ challenge character varying,
+ salt character varying,
+ signature character varying,
+ number integer,
+ created_at timestamp(6) without time zone NOT NULL,
+ updated_at timestamp(6) without time zone NOT NULL
+);
+
+
+--
+-- Name: altcha_solutions_id_seq; Type: SEQUENCE; Schema: public; Owner: -
+--
+
+CREATE SEQUENCE public.altcha_solutions_id_seq
+ START WITH 1
+ INCREMENT BY 1
+ NO MINVALUE
+ NO MAXVALUE
+ CACHE 1;
+
+
+--
+-- Name: altcha_solutions_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: -
+--
+
+ALTER SEQUENCE public.altcha_solutions_id_seq OWNED BY public.altcha_solutions.id;
+
+
--
-- Name: apps; Type: TABLE; Schema: public; Owner: -
--
@@ -1647,6 +1682,14 @@ ALTER TABLE ONLY public.active_storage_variant_records
ADD CONSTRAINT active_storage_variant_records_pkey PRIMARY KEY (id);
+--
+-- Name: altcha_solutions altcha_solutions_pkey; Type: CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.altcha_solutions
+ ADD CONSTRAINT altcha_solutions_pkey PRIMARY KEY (id);
+
+
--
-- Name: apps apps_pkey; Type: CONSTRAINT; Schema: public; Owner: -
--
@@ -1899,6 +1942,13 @@ CREATE UNIQUE INDEX index_active_storage_blobs_on_key ON public.active_storage_b
CREATE UNIQUE INDEX index_active_storage_variant_records_uniqueness ON public.active_storage_variant_records USING btree (blob_id, variation_digest);
+--
+-- Name: index_altcha_solutions; Type: INDEX; Schema: public; Owner: -
+--
+
+CREATE UNIQUE INDEX index_altcha_solutions ON public.altcha_solutions USING btree (algorithm, challenge, salt, signature, number);
+
+
--
-- Name: index_categories_categorizations; Type: INDEX; Schema: public; Owner: -
--
@@ -2440,6 +2490,7 @@ INSERT INTO "schema_migrations" (version) VALUES
('20230325092744'),
('20230325095737'),
('20230325151049'),
+('20240427082705'),
('20240427124856');