Merge staging into master

Author: github-actions[bot]

.github/workflows/continuous-delivery.yml

@@ -19,6 +19,7 @@ on:
         options:
           - csvalpha
           - luxadmosam
+          - euros
         default: 'csvalpha'
 
 concurrency:
@@ -40,9 +41,11 @@ jobs:
             echo 'This workflow can only be run on branches staging and master.'
             exit 1
           fi
-          if [ "$TARGET_ENV" == 'luxadmosam' ] && [ "$GITHUB_REF_NAME" != 'master' ]; then
-            echo 'Only the master branch can be deployed to Lux ad Mosam.'
-            exit 1
+          if [ "$TARGET_ENV" == 'luxadmosam' ] || [ "$TARGET_ENV" == 'euros' ]; then
+            if [ "$GITHUB_REF_NAME" != 'master' ]; then
+              echo 'Only the master branch can be deployed to external parties.'
+              exit 1
+            fi
           fi
 
   metadata:
@@ -74,6 +77,8 @@ jobs:
 
             if [ "$TARGET_ENV" == 'luxadmosam' ]; then
               echo 'stage=luxproduction' >> "$GITHUB_OUTPUT"
+            elif [ "$TARGET_ENV" == 'euros' ]; then
+              echo 'stage=euros' >> "$GITHUB_OUTPUT"
             else
               echo 'stage=production' >> "$GITHUB_OUTPUT"
             fi
@@ -159,6 +164,8 @@ jobs:
         run: |
           if [ "$TARGET_ENV" == 'luxadmosam' ] && [ "$GITHUB_REF_NAME" = 'master' ]; then
             echo 'environment_url=https://luxstreep.csvalpha.nl' >> "$GITHUB_OUTPUT"
+          elif [ "$TARGET_ENV" == 'euros' ] && [ "$GITHUB_REF_NAME" = 'master' ]; then
+            echo 'environment_url=https://euros.csvalpha.nl' >> "$GITHUB_OUTPUT"
           elif [ "$GITHUB_REF_NAME" = 'master' ]; then
             echo 'environment_url=https://streep.csvalpha.nl' >> "$GITHUB_OUTPUT"
           else

.nvmrc

@@ -1 +1 @@
-18.20.8
+20.19.5

.rubocop.yml

@@ -24,6 +24,7 @@ Rails/UnknownEnv:
   Environments:
     - production
     - luxproduction
+    - euros
     - development
     - test
     - staging

Dockerfile

@@ -19,7 +19,7 @@ RUN apt-get update -qq && \
   libyaml-dev
 
 # Add Node, required for asset pipeline.
-RUN curl -sL https://deb.nodesource.com/setup_18.x | bash - && \
+RUN curl -sL https://deb.nodesource.com/setup_20.x | bash - && \
   apt-get install -y nodejs && \
   npm install -q -g yarn
 
@@ -28,7 +28,7 @@ WORKDIR /app
 
 # Pre-install gems, so that they can be cached.
 COPY Gemfile* /app/
-RUN if [ "$RAILS_ENV" = 'production' ] || [ "$RAILS_ENV" = 'staging' ] || [ "$RAILS_ENV" = 'luxproduction' ]; then \
+RUN if [ "$RAILS_ENV" = 'production' ] || [ "$RAILS_ENV" = 'staging' ] || [ "$RAILS_ENV" = 'luxproduction' ] || [ "$RAILS_ENV" = 'euros' ]; then \
     bundle config set --local without 'development test'; \
   else \
     bundle config set --local without 'development'; \
@@ -43,7 +43,7 @@ RUN yarn install --immutable
 COPY . /app/
 
 # Precompile assets after copying app because whole Rails pipeline is needed.
-RUN if [ "$RAILS_ENV" = 'production' ] || [ "$RAILS_ENV" = 'staging' ] || [ "$RAILS_ENV" = 'luxproduction' ]; then \
+RUN if [ "$RAILS_ENV" = 'production' ] || [ "$RAILS_ENV" = 'staging' ] || [ "$RAILS_ENV" = 'luxproduction' ] || [ "$RAILS_ENV" = 'euros' ]; then \
     SECRET_KEY_BASE_DUMMY=1 bundle exec rails assets:precompile; \
   else \
     echo "Skipping assets:precompile"; \

Gemfile

@@ -1,5 +1,6 @@
 source 'https://rubygems.org'
 
+gem 'active_model_otp', '~> 2.3', '>= 2.3.1'
 gem 'bcrypt', '~> 3.1.20'
 gem 'bootsnap', '~> 1.19.0'
 gem 'browser', '~> 6.2.0'
@@ -19,6 +20,7 @@ gem 'net-imap', '~> 0.5.12'
 gem 'net-pop',  '~> 0.1.2'
 gem 'net-smtp', '~> 0.5.1'
 gem 'omniauth', '~> 2.1.4'
+gem 'omniauth-identity', '~> 3.1', '>= 3.1.2'
 gem 'omniauth-oauth2', '~> 1.8.0'
 gem 'omniauth-rails_csrf_protection', '~> 1.0'
 gem 'paper_trail', '~> 17.0.0'
@@ -31,6 +33,7 @@ gem 'rails', '~> 7.2.3'
 gem 'rails-i18n', '~> 7.0.10'
 gem 'redis', '~> 5.0'
 gem 'rest-client', '~> 2.1.0'
+gem 'rqrcode', '~> 2.2'
 gem 'sentry-rails', '~> 6.1', '>= 6.1.1'
 gem 'sentry-ruby', '~> 6.1', '>= 6.1.1'
 gem 'sentry-sidekiq', '~> 6.1', '>= 6.1.1'

Gemfile.lock

@@ -47,6 +47,9 @@ GEM
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
+    active_model_otp (2.3.4)
+      activemodel
+      rotp (~> 6.3.0)
     activejob (7.2.3)
       activesupport (= 7.2.3)
       globalid (>= 0.3.6)
@@ -111,10 +114,11 @@ GEM
       capistrano-bundler
       sidekiq (>= 7.0)
     cgi (0.5.0)
+    chunky_png (1.4.0)
     coderay (1.1.3)
     colorize (1.1.0)
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.4)
+    connection_pool (2.5.5)
     crass (1.0.6)
     cssbundling-rails (1.4.3)
       railties (>= 6.0.0)
@@ -278,6 +282,7 @@ GEM
     multi_json (1.17.0)
     multi_xml (0.7.2)
       bigdecimal (~> 3.1)
+    mutex_m (0.3.0)
     nenv (0.3.0)
     net-http (0.6.0)
       uri
@@ -315,6 +320,11 @@ GEM
       logger
       rack (>= 2.2.3)
       rack-protection
+    omniauth-identity (3.1.5)
+      bcrypt (~> 3.1)
+      mutex_m (~> 0.1)
+      omniauth (>= 1)
+      version_gem (~> 1.1, >= 1.1.9)
     omniauth-oauth2 (1.8.0)
       oauth2 (>= 1.4, < 3)
       omniauth (~> 2.0)
@@ -413,7 +423,7 @@ GEM
     rb-inotify (0.11.1)
       ffi (~> 1.0)
     rb-readline (0.5.5)
-    rdoc (6.15.1)
+    rdoc (6.16.1)
       erb
       psych (>= 4.0.0)
       tsort
@@ -434,7 +444,12 @@ GEM
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
+    rotp (6.3.0)
     rouge (4.6.1)
+    rqrcode (2.2.0)
+      chunky_png (~> 1.0)
+      rqrcode_core (~> 1.0)
+    rqrcode_core (1.2.0)
     rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -444,7 +459,7 @@ GEM
     rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.6)
+    rspec-mocks (3.13.7)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-rails (8.0.2)
@@ -594,6 +609,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  active_model_otp (~> 2.3, >= 2.3.1)
   awesome_print (~> 1.9.2)
   bcrypt (~> 3.1.20)
   better_errors (~> 2.10.1)
@@ -626,6 +642,7 @@ DEPENDENCIES
   net-pop (~> 0.1.2)
   net-smtp (~> 0.5.1)
   omniauth (~> 2.1.4)
+  omniauth-identity (~> 3.1, >= 3.1.2)
   omniauth-oauth2 (~> 1.8.0)
   omniauth-rails_csrf_protection (~> 1.0)
   paper_trail (~> 17.0.0)
@@ -642,6 +659,7 @@ DEPENDENCIES
   rb-readline (~> 0.5.5)
   redis (~> 5.0)
   rest-client (~> 2.1.0)
+  rqrcode (~> 2.2)
   rspec-rails (~> 8.0.2)
   rubocop (~> 1.81.7)
   rubocop-factory_bot (~> 2.28.0)

app/assets/stylesheets/application.scss

@@ -81,6 +81,20 @@ a {
   }
 }
 
+.sofia-account-input {
+  min-width: 18rem;
+}
+
+.qr-code {
+  max-width: 20rem;
+}
+
+main {
+  // Wanneer er veel activiteiten zijn, gaat de quote onderaan de 
+  // pagina onder de footer, dus voeg padding toe met de hoogte van de footer
+  padding-bottom: 48px;
+}
+
 .btn-login {
   width: 100%
 }

app/controllers/application_controller.rb

@@ -1,6 +1,8 @@
 class ApplicationController < ActionController::Base
   include Pundit::Authorization
 
+  protect_from_forgery with: :exception, prepend: true
+
   before_action :set_sentry_context
   before_action :set_paper_trail_whodunnit
   before_action :set_layout_flag
@@ -34,4 +36,8 @@ def set_layout_flag
     @show_navigationbar = true
     @show_extras = true
   end
+
+  def normalize_error_messages(full_messages)
+    full_messages.map(&:downcase).join(', ')
+  end
 end

app/controllers/callbacks_controller.rb

@@ -2,11 +2,66 @@ class CallbacksController < Devise::OmniauthCallbacksController
   def amber_oauth2
     user = User.from_omniauth(request.env['omniauth.auth'])
 
-    if user.persisted?
+    if user&.persisted?
       sign_in(:user, user)
       redirect_to user.roles.any? ? root_path : user_path(user.id)
     else
-      redirect_to root_path, flash: { error: 'Authentication failed' }
+      redirect_to root_path, flash: { error: 'Inloggen gefaald.' }
     end
   end
+
+  def identity
+    user = User.from_omniauth_inspect(request.env['omniauth.auth'])
+
+    if user&.persisted?
+      if user.deactivated
+        render(json: { state: 'password_prompt', error_message: 'Uw account is gedeactiveerd, dus inloggen is niet mogelijk.' })
+      else
+        check_identity_with_user(user, SofiaAccount.find_by(user_id: user.id))
+      end
+    else
+      render(json: { state: 'password_prompt', error_message: 'Inloggen mislukt. De ingevulde gegevens zijn incorrect.' })
+    end
+  end
+
+  def check_identity_with_user(user, sofia_account)
+    if sofia_account&.otp_enabled
+      check_identity_with_otp(sofia_account, user)
+    elsif sofia_account
+      # no OTP enabled
+      sign_in(:user, user)
+      render(json: { state: 'logged_in', redirect_url: user.roles.any? ? root_path : user_path(user.id) })
+    else
+      # sofia_account does not exist, should not be possible
+      render(json: { state: 'password_prompt', error_message: 'Inloggen mislukt door een error. Herlaad de pagina en probeer het nog
+                                                               een keer. <br/><i>Werkt het na een paar keer proberen nog steeds niet?
+                                                               Neem dan contact op met de ICT-commissie.</i>' })
+    end
+  end
+
+  def check_identity_with_otp(sofia_account, user)
+    if params[:verification_code].blank?
+      # OTP code not present, so request it
+      render(json: { state: 'otp_prompt' })
+    elsif sofia_account.authenticate_otp(params[:verification_code])
+      # OTP code correct
+      sign_in(:user, user)
+      render(json: { state: 'logged_in', redirect_url: user.roles.any? ? root_path : user_path(user.id) })
+    else
+      # OTP code incorrect
+      render(json: { state: 'otp_prompt', error_message: 'Inloggen mislukt. De authenticatiecode is incorrect.' })
+    end
+  end
+
+  def failure
+    error_message = 'Inloggen mislukt.'
+    if request.env['omniauth.error.strategy'].instance_of? OmniAuth::Strategies::Identity
+      error_message << if request.env['omniauth.error.type'].to_s == 'invalid_credentials'
+                         ' De ingevulde gegevens zijn incorrect.'
+                       else
+                         ' Er is een onverwachte fout opgetreden.'
+                       end
+    end
+    render(json: { state: 'password_prompt', error_message: })
+  end
 end

app/controllers/credit_mutations_controller.rb

@@ -19,7 +19,9 @@ def create # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
 
     respond_to do |format|
       if @mutation.save
-        NewCreditMutationNotificationJob.perform_later(@mutation) if Rails.env.production? || Rails.env.staging? || Rails.env.luxproduction?
+        if Rails.env.production? || Rails.env.staging? || Rails.env.luxproduction? || Rails.env.euros?
+          NewCreditMutationNotificationJob.perform_later(@mutation)
+        end
         format.html { redirect_to which_redirect?, flash: { success: 'Inleg of mutatie aangemaakt' } }
         format.json do
           render json: @mutation, include: { user: { methods: User.orderscreen_json_includes } }