PKCE frontend authentication

.yarnrc.yml

@@ -13,6 +13,9 @@ packageExtensions:
   autoprefixer@*:
     dependencies:
       colorette: "*"
+  "framer-motion@*":
+    dependencies:
+      "@emotion/is-prop-valid": "*"
 
 pnpEnableEsmLoader: true
 

app/controllers/application_controller.rb

@@ -53,11 +53,18 @@ def graphql_authenticity_token
   end
   helper_method :graphql_authenticity_token
 
+  def oidc_issuer_url
+    issuer = Doorkeeper::OpenidConnect.configuration.issuer
+    issuer.respond_to?(:call) ? issuer.call : issuer
+  end
+
   def app_component_props
     {
       recaptchaSiteKey: Recaptcha.configuration.site_key,
       railsDirectUploadsUrl: rails_direct_uploads_url,
-      railsDefaultActiveStorageServiceName: Rails.application.config.active_storage.service.to_s
+      railsDefaultActiveStorageServiceName: Rails.application.config.active_storage.service.to_s,
+      oauthFrontendApplicationUid: Doorkeeper::Application.find_by(is_intercode_frontend: true)&.uid,
+      oidcIssuerUrl: oidc_issuer_url
     }
   end
   helper_method :app_component_props

app/controllers/passwords_controller.rb

@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 class PasswordsController < Devise::PasswordsController
+  def new
+    render html: "", layout: "application"
+  end
+
   def create
     self.resource =
       resource_class.find_or_initialize_with_errors(resource_class.reset_password_keys, resource_params, :not_found)
@@ -20,7 +24,12 @@ def create
   def actually_do_reset
     return unless resource.persisted?
 
-    resource.reset_password_mail_options = { host: request.host, port: request.port, protocol: request.protocol }
+    mailer_url_options = ActionMailer::Base.default_url_options
+    resource.reset_password_mail_options = {
+      host: mailer_url_options[:host],
+      port: mailer_url_options[:port],
+      protocol: mailer_url_options[:protocol] || request.protocol
+    }
 
     resource.send_reset_password_instructions
   end

app/controllers/registrations_controller.rb

@@ -2,11 +2,15 @@
 class RegistrationsController < Devise::RegistrationsController
   include RedirectWithAuthentication
 
-  prepend_before_action :check_captcha, only: [:create]
-  prepend_before_action :disable_destroy, only: [:destroy]
+  prepend_before_action :check_captcha, only: [:create] # rubocop:disable Rails/LexicallyScopedActionFilter
+  prepend_before_action :disable_destroy, only: [:destroy] # rubocop:disable Rails/LexicallyScopedActionFilter
 
   def new
-    respond_to { |format| format.html { redirect_with_authentication("signUp") } }
+    render html: "", layout: "application"
+  end
+
+  def edit
+    render html: "", layout: "application"
   end
 
   private
@@ -23,6 +27,6 @@ def check_captcha
   end
 
   def disable_destroy
-    redirect_to root_path, alert: "To delete your account, please email the site administrators."
+    redirect_to root_path, alert: t("registrations.disable_destroy")
   end
 end

app/controllers/sessions_controller.rb

@@ -1,15 +1,61 @@
 # frozen_string_literal: true
 class SessionsController < Devise::SessionsController
-  include RedirectWithAuthentication
-
+  layout false
   prepend_before_action :set_return_to, only: [:new]
 
   def new
-    respond_to { |format| format.html { redirect_with_authentication("signIn") } }
+    render html: "", layout: "application"
+  end
+
+  # Override to allow cross-host redirect back to the convention subdomain after sign-in.
+  def create
+    self.resource = warden.authenticate!(auth_options)
+    set_flash_message!(:notice, :signed_in)
+    sign_in(resource_name, resource)
+    path = after_sign_in_path_for(resource)
+    uri = parse_uri_silently(path.to_s)
+    redirect_to path, allow_other_host: uri&.host.present? && trusted_origin?(uri.host)
+  end
+
+  # Override to allow cross-host redirect back to the convention subdomain after sign-out.
+  def respond_to_on_destroy(non_navigational_status: :no_content)
+    respond_to do |format|
+      format.all { head non_navigational_status }
+      format.any(*navigational_formats) do
+        redirect_to after_sign_out_path_for(resource_name),
+                    status: Devise.responder.redirect_status,
+                    allow_other_host: true
+      end
+    end
   end
 
   private
 
+  def after_sign_out_path_for(_resource_or_scope)
+    trusted_referer_url || root_path
+  end
+
+  def trusted_referer_url
+    return unless request.referer
+
+    referer_uri = parse_uri_silently(request.referer)
+    return unless referer_uri
+
+    trusted_origin?(referer_uri.host) ? request.referer : nil
+  end
+
+  def parse_uri_silently(url)
+    URI(url)
+  rescue StandardError
+    nil
+  end
+
+  def trusted_origin?(host)
+    intercode_host = ENV.fetch("INTERCODE_HOST", nil)
+    host == intercode_host || (intercode_host && host&.end_with?(".#{intercode_host}")) ||
+      Convention.exists?(domain: host)
+  end
+
   def set_return_to
     return if params[:user_return_to].blank?
     session[:user_return_to] = params[:user_return_to]

app/graphql/mutations/setup_my_profile.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+class Mutations::SetupMyProfile < Mutations::BaseMutation
+  description "Creates a UserConProfile for the currently signed-in user in the current convention."
+
+  field :my_profile, Types::UserConProfileType, null: false, description: "The created or existing profile."
+
+  require_user
+
+  def authorized?
+    !!current_user && !!convention
+  end
+
+  def resolve
+    existing = convention.user_con_profiles.find_by(user: current_user)
+    return { my_profile: existing } if existing
+
+    result = SetupUserConProfileService.new(convention:, user: current_user).call!
+    { my_profile: result.user_con_profile }
+  end
+end

app/graphql/types/authorized_application_type.rb

@@ -1,8 +1,14 @@
 # frozen_string_literal: true
 class Types::AuthorizedApplicationType < Types::BaseObject
-  field :name, String, null: false
-  field :scopes, [String], null: false
-  field :uid, ID, null: false
+  description "An OAuth application that a user has authorized."
+
+  field :is_intercode_frontend,
+        Boolean,
+        null: false,
+        description: "Whether this is the built-in Intercode frontend application."
+  field :name, String, null: false, description: "The display name of the OAuth application."
+  field :scopes, [String], null: false, description: "The OAuth scopes granted to this application."
+  field :uid, ID, null: false, description: "The OAuth application's unique identifier."
 
   def scopes
     object.scopes.to_a

app/graphql/types/client_configuration_type.rb

@@ -1,14 +1,26 @@
+# frozen_string_literal: true
 class Types::ClientConfigurationType < Types::BaseObject
   description "Client-side configuration values needed for frontend initialization"
 
+  field :oauth_frontend_application_uid,
+        String,
+        null: true,
+        description: "The OAuth application UID for the Intercode frontend SPA (used for PKCE auth)"
+  field :oidc_issuer_url,
+        String,
+        null: true,
+        description: "The OIDC issuer URL (used as the base for OpenID Connect discovery)"
   field :rails_default_active_storage_service_name,
         String,
         null: false,
         description: "The default Active Storage service name configured in Rails"
   # rubocop:disable GraphQL/ExtractType
   field :rails_direct_uploads_url, String, null: false, description: "The URL endpoint for Rails Direct Uploads"
   # rubocop:enable GraphQL/ExtractType
-  field :recaptcha_site_key, String, null: false, description: "The reCAPTCHA site key for client-side verification"
+  field :recaptcha_site_key,
+        String,
+        null: true,
+        description: "The reCAPTCHA site key for client-side verification, or null if reCAPTCHA is disabled"
 
   def rails_default_active_storage_service_name
     Rails.application.config.active_storage.service.to_s
@@ -21,4 +33,13 @@ def rails_direct_uploads_url
   def recaptcha_site_key
     Recaptcha.configuration.site_key
   end
+
+  def oauth_frontend_application_uid
+    Doorkeeper::Application.find_by(is_intercode_frontend: true)&.uid
+  end
+
+  def oidc_issuer_url
+    issuer = Doorkeeper::OpenidConnect.configuration.issuer
+    issuer.respond_to?(:call) ? issuer.call : issuer
+  end
 end

app/graphql/types/mutation_type.rb

@@ -291,6 +291,7 @@ def self.authorized?(_value, context)
   field :acceptClickwrapAgreement, null: false, mutation: Mutations::AcceptClickwrapAgreement
   field :createUserConProfile, null: false, mutation: Mutations::CreateUserConProfile
   field :deleteUserConProfile, null: false, mutation: Mutations::DeleteUserConProfile
+  field :setupMyProfile, null: false, mutation: Mutations::SetupMyProfile
   field :updateUserConProfile, null: false, mutation: Mutations::UpdateUserConProfile
   field :withdrawAllUserConProfileSignups, null: false, mutation: Mutations::WithdrawAllUserConProfileSignups
 end

app/graphql/types/query_type.rb

@@ -32,6 +32,23 @@ class Types::QueryType < Types::BaseObject
     MARKDOWN
   end
 
+  field :convention_by_oauth_return_if_present, Types::ConventionType, null: true do
+    description <<~MARKDOWN
+      Returns the convention associated with the current OAuth sign-in flow, if any. Parses the
+      `redirect_uri` from the stored OAuth return URL in the session to determine which convention
+      the user is signing into. Useful on the root-domain sign-in page where
+      `conventionByRequestHostIfPresent` returns null.
+    MARKDOWN
+  end
+
+  field :oauth_application_by_current_request, Types::AuthorizedApplicationType, null: true do
+    description <<~MARKDOWN
+      Returns the OAuth application initiating the current sign-in flow, if any. Parses the
+      `client_id` from the stored OAuth return URL in the session or params to identify which
+      application the user is signing in to use.
+    MARKDOWN
+  end
+
   field :convention_by_id, Types::ConventionType, null: false do
     argument :id, ID, required: false, camelize: true
     description <<~MARKDOWN
@@ -196,6 +213,33 @@ def convention_by_request_host_if_present
     context[:convention]
   end
 
+  def convention_by_oauth_return_if_present
+    return_to = context[:controller].session[:user_return_to] || context[:controller].params[:user_return_to]
+    return unless return_to
+
+    return_to_uri = URI.parse(return_to)
+    redirect_uri_str = Rack::Utils.parse_query(return_to_uri.query)["redirect_uri"]
+    return unless redirect_uri_str
+
+    redirect_uri = URI.parse(redirect_uri_str)
+    Convention.find_by(domain: redirect_uri.host)
+  rescue URI::InvalidURIError, ArgumentError
+    nil
+  end
+
+  def oauth_application_by_current_request
+    return_to = context[:controller].session[:user_return_to] || context[:controller].params[:user_return_to]
+    return unless return_to
+
+    return_to_uri = URI.parse(return_to)
+    client_id = Rack::Utils.parse_query(return_to_uri.query)["client_id"]
+    return unless client_id
+
+    Doorkeeper::Application.find_by(uid: client_id)
+  rescue URI::InvalidURIError, ArgumentError
+    nil
+  end
+
   def convention_by_id(id: nil)
     Convention.find(id)
   end

app/graphql/types/root_site_input_type.rb

@@ -1,6 +1,21 @@
 # frozen_string_literal: true
 class Types::RootSiteInputType < Types::BaseInputObject
-  argument :default_layout_id, ID, required: false, camelize: true
-  argument :root_page_id, ID, required: false, camelize: true
-  argument :site_name, String, required: false, camelize: false
+  description "Input type for updating root site settings."
+
+  argument :auth_layout_id,
+           ID,
+           required: false,
+           camelize: true,
+           description: "ID of the CMS layout to use for authentication pages."
+  argument :default_layout_id,
+           ID,
+           required: false,
+           camelize: true,
+           description: "ID of the default CMS layout for pages."
+  argument :root_page_id, ID, required: false, camelize: true, description: "ID of the root page."
+  argument :site_name,
+           String,
+           required: false,
+           camelize: false,
+           description: "Display name shown in the navigation bar."
 end

app/graphql/types/root_site_type.rb

@@ -1,12 +1,15 @@
 # frozen_string_literal: true
 class Types::RootSiteType < Types::BaseObject
+  description "The root site, which hosts global CMS content and authentication pages."
+
   implements Types::CmsParent
   include CmsParentImplementation
 
-  field :host, String, null: false
-  field :id, ID, null: false
-  field :site_name, String, null: false, camelize: false
-  field :url, String, null: false
+  field :auth_layout, Types::CmsLayoutType, null: true, description: "CMS layout used for authentication pages."
+  field :host, String, null: false, description: "The hostname of the root site."
+  field :id, ID, null: false, description: "A fixed identifier for the singleton root site."
+  field :site_name, String, null: false, camelize: false, description: "The display name shown in the navigation bar."
+  field :url, String, null: false, description: "The base URL of the root site."
 
   def id
     "singleton"

app/graphql/types/user_con_profile_type.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+# rubocop:disable Metrics/ClassLength
 class Types::UserConProfileType < Types::BaseObject
   description <<~MARKDOWN
     A UserConProfile is a user's profile in a particular convention web site.  Most convention-level objects are
@@ -53,6 +54,7 @@ def self.personal_info_field(field_name, ...)
   field :name_without_nickname, String, null: false do # rubocop:disable GraphQL/ExtractType
     description "This user profile's full name, not including their nickname."
   end
+  field :needs_update, Boolean, null: false, description: "Does this profile need to be updated by the user?"
   field :nickname, String, null: true, description: "This user profile's nickname."
   field :order_summary, String, null: false, description: "A human-readable summary of all this profile's orders."
   field :orders, [Types::OrderType], null: false, description: "All the orders placed by this profile."
@@ -227,3 +229,4 @@ def form
     convention.user_con_profile_form
   end
 end
+# rubocop:enable Metrics/ClassLength