recreate admin account

Author: thedumbtechguy

Gemfile

@@ -93,3 +93,7 @@ gem "faker", "~> 3.5", group: :development
 gem "inline_svg", "~> 1.10"
 
 gem "csv", "~> 3.3"
+
+gem "rotp", "~> 6.3"
+
+gem "rqrcode", "~> 3.1"

Gemfile.lock

@@ -103,6 +103,7 @@ GEM
       xpath (~> 3.2)
     childprocess (5.1.0)
       logger (~> 1.5)
+    chunky_png (1.4.0)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.4)
     crass (1.0.6)
@@ -421,6 +422,11 @@ GEM
       roda (~> 3.76)
       rodauth (~> 2.36)
       rodauth-model (~> 0.2)
+    rotp (6.3.0)
+    rqrcode (3.1.0)
+      chunky_png (~> 1.0)
+      rqrcode_core (~> 2.0)
+    rqrcode_core (2.0.0)
     rubocop (1.75.8)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
@@ -595,6 +601,8 @@ DEPENDENCIES
   rails (~> 8.0.1)
   rodauth-omniauth (~> 0.6.0)
   rodauth-rails (~> 2.0)
+  rotp (~> 6.3)
+  rqrcode (~> 3.1)
   selenium-webdriver
   sequel-activerecord_connection (~> 2.0)
   solid_cable

app/mailers/rodauth_mailer.rb

@@ -16,14 +16,11 @@ def reset_password(name, account_id, key)
   end
 
   def verify_login_change(name, account_id, key)
-    @rodauth = rodauth(name, account_id) {
-      @verify_login_change_key_value = key
-    }
+    @rodauth = rodauth(name, account_id) { @verify_login_change_key_value = key }
     @account = @rodauth.rails_account
     @new_email = @account.login_change_key.login
 
-    mail to: @new_email,
-      subject: @rodauth.email_subject_prefix + @rodauth.verify_login_change_email_subject
+    mail to: @new_email, subject: @rodauth.email_subject_prefix + @rodauth.verify_login_change_email_subject
   end
 
   def change_password_notify(name, account_id)

app/models/admin.rb

@@ -13,7 +13,29 @@
 #
 class Admin < ResourceRecord
   include Rodauth::Rails.model(:admin)
+  # add concerns above.
+
+  # add model configurations above.
+
+  # add belongs_to associations above.
+
+  # add has_one associations above.
+
+  # add has_many associations above.
+
+  # add attachments above.
+
+  # add scopes above.
+
   validates :email, presence: true
+  # add validations above.
+
+  # add callbacks above.
+
+  # add delegations above.
 
   enum :status, unverified: 1, verified: 2, closed: 3
+  # add misc attribute macros above.
+
+  # add methods above.
 end

app/rodauth/admin_rodauth_plugin.rb

@@ -12,34 +12,26 @@ class AdminRodauthPlugin < RodauthPlugin
     # http://rodauth.jeremyevans.net/documentation.html
 
     # List of authentication features that are loaded.
-    enable(
-      :login,
-      :remember,
-      :logout,
-      # :create_account,
-      # :verify_account,
-      # :verify_account_grace_period,
-      :reset_password,
-      :reset_password_notify,
-      # :change_login,
-      # :verify_login_change,
-      :change_password,
-      :change_password_notify,
-      :case_insensitive_login,
-      :internal_request
-    )
+    enable :login, :remember, :logout, :create_account, :verify_account, :close_account, :reset_password, :reset_password_notify, :password_grace_period, :change_password, :otp, :recovery_codes, :lockout, :active_sessions, :audit_logging, :internal_request
 
     # ==> General
 
     # Prevent rodauth from introspecting the database if we are not using UUIDs
     convert_token_id_to_integer? { Admin.columns_hash["id"].type == :integer }
 
     # Change prefix of table and foreign key column names from default "account"
+    account_lockouts_table :admin_lockouts
+    account_login_failures_table :admin_login_failures
     accounts_table :admins
+    active_sessions_account_id_column :admin_id
+    active_sessions_table :admin_active_session_keys
+    audit_logging_account_id_column :admin_id
+    audit_logging_table :admin_authentication_audit_logs
+    otp_keys_table :admin_otp_keys
+    recovery_codes_table :admin_recovery_codes
     remember_table :admin_remember_keys
     reset_password_table :admin_password_reset_keys
-    # verify_account_table :admin_verification_keys
-    # verify_login_change_table :admin_login_change_keys
+    verify_account_table :admin_verification_keys
 
     # The secret key used for hashing public-facing tokens for various features.
     # Defaults to Rails `secret_key_base`, but you can use your own secret key.
@@ -66,7 +58,7 @@ class AdminRodauthPlugin < RodauthPlugin
 
     # Redirect back to originally requested location after authentication.
     login_return_to_requested_location? true
-    # two_factor_auth_return_to_requested_location? true # if using MFA
+    two_factor_auth_return_to_requested_location? true
 
     # Autologin the user after they have reset their password.
     # reset_password_autologin? true
@@ -81,41 +73,26 @@ class AdminRodauthPlugin < RodauthPlugin
     # Requires the JSON feature
     # only_json? false
 
+    # Only ask for password after asking for the login
+    use_multi_phase_login? true
+
     # ==> Emails
     # Use a custom mailer for delivering authentication emails.
 
-    # create_reset_password_email do
-    #   Rodauth::AdminMailer.reset_password(
-    #     self.class.configuration_name,
-    #     account_id, reset_password_key_value
-    #   )
-    # end
-
-    # create_verify_account_email do
-    #   Rodauth::AdminMailer.verify_account(
-    #     self.class.configuration_name,
-    #     account_id, verify_account_key_value
-    #   )
-    # end
-
-    # create_verify_login_change_email do |_login|
-    #   Rodauth::AdminMailer.verify_login_change(
-    #     self.class.configuration_name,
-    #     account_id, verify_login_change_key_value
-    #   )
-    # end
+    create_reset_password_email do
+      Rodauth::AdminMailer.reset_password(self.class.configuration_name, account_id, reset_password_key_value)
+    end
 
-    create_password_changed_email do
-      Rodauth::AdminMailer.change_password_notify(
-        self.class.configuration_name, account_id
-      )
+    create_verify_account_email do
+      Rodauth::AdminMailer.verify_account(self.class.configuration_name, account_id, verify_account_key_value)
     end
 
     create_reset_password_notify_email do
-      Rodauth::AdminMailer.reset_password_notify(
-        self.class.configuration_name,
-        account_id
-      )
+      Rodauth::AdminMailer.reset_password_notify(self.class.configuration_name, account_id)
+    end
+
+    create_unlock_account_email do
+      Rodauth::AdminMailer.unlock_account(self.class.configuration_name, account_id, unlock_account_key_value)
     end
 
     send_email do |email|
@@ -131,6 +108,7 @@ class AdminRodauthPlugin < RodauthPlugin
     # flash_error_key :error # default is :alert
 
     # Override default flash messages.
+    two_factor_not_setup_error_flash "You need to setup two factor authentication"
     # create_account_notice_flash "Your account has been created. Please verify your account by visiting the confirmation link sent to your email address."
     # require_login_error_flash "Login is required for accessing this page"
     # login_notice_flash nil
@@ -180,6 +158,11 @@ class AdminRodauthPlugin < RodauthPlugin
 
     # ==> Hooks
 
+    # Prevent using the web to sign up.
+    before_create_account_route do
+      request.halt unless internal_request?
+    end
+
     # Validate custom fields in the create account form.
     # before_create_account do
     #   throw_error_status(422, "name", "must be present") if param("name").empty?
@@ -190,28 +173,28 @@ class AdminRodauthPlugin < RodauthPlugin
     #   Profile.create!(account_id: account_id, name: param("name"))
     # end
 
-    # # Do additional cleanup after the account is closed.
-    # # after_close_account do
-    # #   Profile.find_by!(account_id: account_id).destroy
-    # # end
-    # create_account_route "register"
+    # Do additional cleanup after the account is closed.
+    # after_close_account do
+    #   Profile.find_by!(account_id: account_id).destroy
+    # end
 
     # ==> Redirects
 
-    # # Redirect to home after login.
-    # create_account_redirect "/admin_dashboard"
+    # Redirect to home after login.
+    create_account_redirect "/admin_dashboard"
 
     # Redirect to home after login.
     login_redirect "/admin_dashboard"
 
     # Redirect to home page after logout.
-    logout_redirect "/"
+    logout_redirect "/admin_dashboard"
 
-    # # Redirect to wherever login redirects to after account verification.
-    # verify_account_redirect { login_redirect }
+    # Redirect to wherever login redirects to after account verification.
+    verify_account_redirect { login_redirect }
 
     # Redirect to login page after password reset.
     reset_password_redirect { login_path }
+
     # ==> Deadlines
     # Change default deadlines for some actions.
     # verify_account_grace_period 3.days.to_i

app/views/rodauth/admin/_login_form_footer.html.erb

@@ -0,0 +1,8 @@
+<% unless rodauth(:admin).login_form_footer_links.empty? %>
+  <ul>
+    <% rodauth(:admin).login_form_footer_links.sort.each do |_, link, text| %>
+      <% next if rodauth(:admin).try(:create_account_path) == link %>
+      <li><%= link_to text, link, class: "text-primary-600 rounded-sm text-sm hover:underline hover:text-primary-800 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary-600 dark:text-primary-300 dark:hover:text-primary-400 dark:focus-visible:ring-2 dark:focus-visible:ring-primary-300" %></li>
+    <% end %>
+  </ul>
+<% end %>

db/migrate/20250116233733_create_rodauth_admin_base_remember_verify_account_reset_password_verify_login_change.rb

@@ -33,13 +33,52 @@ def change
       t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
     end
 
-    # Used by the verify login change feature
-    create_table :admin_login_change_keys, id: false do |t|
+    # Used by the otp feature
+    create_table :admin_otp_keys, id: false do |t|
+      t.bigint :id, primary_key: true
+      t.foreign_key :admins, column: :id
+      t.string :key, null: false
+      t.integer :num_failures, null: false, default: 0
+      t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    end
+
+    # Used by the recovery codes feature
+    create_table :admin_recovery_codes, primary_key: [:id, :code] do |t|
+      t.bigint :id
+      t.foreign_key :admins, column: :id
+      t.string :code
+    end
+
+    # Used by the lockout feature
+    create_table :admin_login_failures, id: false do |t|
+      t.bigint :id, primary_key: true
+      t.foreign_key :admins, column: :id
+      t.integer :number, null: false, default: 1
+    end
+    create_table :admin_lockouts, id: false do |t|
       t.bigint :id, primary_key: true
       t.foreign_key :admins, column: :id
       t.string :key, null: false
-      t.string :login, null: false
       t.datetime :deadline, null: false
+      t.datetime :email_last_sent
+    end
+
+    # Used by the active sessions feature
+    create_table :admin_active_session_keys, primary_key: [:admin_id, :session_id] do |t|
+      t.references :admin, foreign_key: true
+      t.string :session_id
+      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    end
+
+    # Used by the audit logging feature
+    create_table :admin_authentication_audit_logs do |t|
+      t.references :admin, foreign_key: true, null: false
+      t.datetime :at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      t.text :message, null: false
+      t.json :metadata
+      t.index [:admin_id, :at], name: "audit_admin_admin_id_at_idx"
+      t.index :at, name: "audit_admin_at_idx"
     end
   end
 end

db/schema.rb

@@ -0,0 +1,11 @@
+namespace :rodauth do
+  desc "Create a admin account"
+  task admin: :environment do
+    require "tty-prompt"
+
+    prompt = TTY::Prompt.new
+    email = ENV["EMAIL"] || prompt.ask("Email:", required: true)
+
+    RodauthApp.rodauth(:admin).create_account(login: email)
+  end
+end