feat: Authenticate by SSO tokens (#1439)

Co-authored-by: Pranav Raj Sreepuram <pranavrajs@gmail.com>

app/builders/account_builder.rb

@@ -67,7 +67,8 @@ class AccountBuilder
   end
 
   def create_user
-    password = Time.now.to_i
+    password = SecureRandom.alphanumeric(12)
+
     @user = User.new(email: @email,
                      password: password,
                      password_confirmation: password,

app/controllers/devise_overrides/sessions_controller.rb

@@ -2,8 +2,38 @@ class DeviseOverrides::SessionsController < ::DeviseTokenAuth::SessionsControlle
   # Prevent session parameter from being passed
   # Unpermitted parameter: session
   wrap_parameters format: []
+  before_action :process_sso_auth_token, only: [:create]
+
+  def create
+    # Authenticate user via the temporary sso auth token
+    if params[:sso_auth_token].present? && @resource.present?
+      authenticate_resource_with_sso_token
+      yield @resource if block_given?
+      render_create_success
+    else
+      super
+    end
+  end
 
   def render_create_success
     render partial: 'devise/auth.json', locals: { resource: @resource }
   end
+
+  private
+
+  def authenticate_resource_with_sso_token
+    @token = @resource.create_token
+    @resource.save
+
+    sign_in(:user, @resource, store: false, bypass: false)
+    # invalidate the token after the user is signed in
+    @resource.invalidate_sso_auth_token(params[:sso_auth_token])
+  end
+
+  def process_sso_auth_token
+    return if params[:email].blank?
+
+    user = User.find_by(email: params[:email])
+    @resource = user if user&.valid_sso_auth_token?(params[:sso_auth_token])
+  end
 end

app/javascript/dashboard/routes/login/Login.vue

@@ -13,7 +13,7 @@
       </h2>
     </div>
     <div class="row align-center">
-      <div class="small-12 medium-4 column">
+      <div v-if="!email" class="small-12 medium-4 column">
         <form class="login-box column align-self-top" @submit.prevent="login()">
           <div class="column log-in-form">
             <label :class="{ error: $v.credentials.email.$error }">
@@ -47,7 +47,6 @@
               button-class="large expanded"
             >
             </woot-submit-button>
-            <!-- <input type="submit" class="button " v-on:click.prevent="login()" v-bind:value="" > -->
           </div>
         </form>
         <div class="column text-center sigin__footer">
@@ -63,13 +62,12 @@
           </p>
         </div>
       </div>
+      <woot-spinner v-else size="" />
     </div>
   </div>
 </template>
 
 <script>
-/* global bus */
-
 import { required, email } from 'vuelidate/lib/validators';
 import globalConfigMixin from 'shared/mixins/globalConfigMixin';
 import WootSubmitButton from '../../components/buttons/FormSubmitButton';
@@ -80,6 +78,12 @@ export default {
     WootSubmitButton,
   },
   mixins: [globalConfigMixin],
+  props: {
+    ssoAuthToken: { type: String, default: '' },
+    redirectUrl: { type: String, default: '' },
+    config: { type: String, default: '' },
+    email: { type: String, default: '' },
+  },
   data() {
     return {
       // We need to initialize the component with any
@@ -111,6 +115,11 @@ export default {
       globalConfig: 'globalConfig/get',
     }),
   },
+  created() {
+    if (this.ssoAuthToken) {
+      this.login();
+    }
+  },
   methods: {
     showAlert(message) {
       // Reset loading, current selected agent
@@ -124,8 +133,9 @@ export default {
     login() {
       this.loginApi.showLoading = true;
       const credentials = {
-        email: this.credentials.email,
+        email: this.email ? this.email : this.credentials.email,
         password: this.credentials.password,
+        sso_auth_token: this.ssoAuthToken,
       };
       this.$store
         .dispatch('login', credentials)
@@ -133,6 +143,11 @@ export default {
           this.showAlert(this.$t('LOGIN.API.SUCCESS_MESSAGE'));
         })
         .catch(response => {
+          // Reset URL Params if the authenication is invalid
+          if (this.email) {
+            window.location = '/app/login';
+          }
+
           if (response && response.status === 401) {
             this.showAlert(this.$t('LOGIN.API.UNAUTH'));
             return;

app/javascript/dashboard/routes/login/login.routes.js

@@ -7,6 +7,12 @@ export default {
       path: frontendURL('login'),
       name: 'login',
       component: Login,
+      props: route => ({
+        config: route.query.config,
+        email: route.query.email,
+        ssoAuthToken: route.query.sso_auth_token,
+        redirectUrl: route.query.route_url,
+      }),
     },
   ],
 };

app/models/concerns/sso_authenticatable.rb

@@ -0,0 +1,23 @@
+module SsoAuthenticatable
+  extend ActiveSupport::Concern
+
+  def generate_sso_auth_token
+    token = SecureRandom.hex(32)
+    ::Redis::Alfred.setex(sso_token_key(token), true, 5.minutes)
+    token
+  end
+
+  def invalidate_sso_auth_token(token)
+    ::Redis::Alfred.delete(sso_token_key(token))
+  end
+
+  def valid_sso_auth_token?(token)
+    ::Redis::Alfred.get(sso_token_key(token)).present?
+  end
+
+  private
+
+  def sso_token_key(token)
+    format(::Redis::RedisKeys::USER_SSO_AUTH_TOKEN, user_id: id, token: token)
+  end
+end

app/models/conversation.rb

@@ -98,7 +98,7 @@ class Conversation < ApplicationRecord
   end
 
   def muted?
-    !Redis::Alfred.get(mute_key).nil?
+    Redis::Alfred.get(mute_key).present?
   end
 
   def lock!
@@ -287,7 +287,7 @@ class Conversation < ApplicationRecord
   end
 
   def mute_key
-    format('CONVERSATION::%<id>d::MUTED', id: id)
+    format(Redis::RedisKeys::CONVERSATION_MUTE_KEY, id: id)
   end
 
   def mute_period

app/models/user.rb

@@ -44,6 +44,7 @@ class User < ApplicationRecord
   include Pubsubable
   include Rails.application.routes.url_helpers
   include Reportable
+  include SsoAuthenticatable
 
   devise :database_authenticatable,
          :registerable,