[9] connect and configure login.gov openid connect

.gitignore

@@ -34,6 +34,8 @@
 
 # Ignore master key for decrypting credentials and more.
 /config/master.key
+/config/private.pem
+/config/public.crt
 
 /app/assets/builds/*
 !/app/assets/builds/.keep

Gemfile

@@ -16,6 +16,12 @@ gem "pg"
 # Use the Puma web server [https://github.com/puma/puma]
 gem "puma", ">= 5.0"
 
+# Use the popular Faraday HTTP library
+gem "faraday"
+
+# Use the JWT gem for JSON Web Tokens
+gem "jwt"
+
 # Use JavaScript with ESM import maps [https://github.com/rails/importmap-rails]
 gem "importmap-rails"
 
@@ -50,9 +56,19 @@ group :development, :test do
   # See https://guides.rubyonrails.org/debugging_rails_applications.html#debugging-with-the-debug-gem
   gem "debug", platforms: %i[mri windows]
 
-  gem "rubocop"
   gem "rspec-rails"
-  gem 'codeclimate-test-reporter'
+
+  # add the Ruby LSP package so it's bundled with the rest of the gems and available to VS Code
+  gem "ruby-lsp"
+
+  # rubocop and specific extensions used by VS Code
+  gem "rubocop"
+  gem "rubocop-performance", require: false
+  gem "rubocop-rake", require: false
+  gem "rubocop-rails", require: false
+  gem "rubocop-rspec", require: false
+
+  gem "codeclimate-test-reporter"
 end
 
 group :development do
@@ -69,10 +85,12 @@ end
 
 group :test do
   # Use system testing [https://guides.rubyonrails.org/testing.html#system-testing]
+  gem "webmock"
   gem "capybara"
   gem "selenium-webdriver"
-  gem 'rspec_junit_formatter'
-  gem 'simplecov'
+  gem "rspec_junit_formatter"
+  gem "simplecov"
+  gem "rails-controller-testing"
 end
 
 gem "cssbundling-rails", "~> 1.4"

Gemfile.lock

@@ -100,6 +100,9 @@ GEM
       simplecov (<= 0.13)
     concurrent-ruby (1.3.3)
     connection_pool (2.4.1)
+    crack (1.0.0)
+      bigdecimal
+      rexml
     crass (1.0.6)
     cssbundling-rails (1.4.0)
       railties (>= 6.0.0)
@@ -111,12 +114,18 @@ GEM
     docile (1.1.5)
     drb (2.2.1)
     erubi (1.13.0)
+    faraday (2.10.0)
+      faraday-net_http (>= 2.0, < 3.2)
+      logger
+    faraday-net_http (3.1.0)
+      net-http
     ffi (1.17.0-aarch64-linux-gnu)
     ffi (1.17.0-arm64-darwin)
     ffi (1.17.0-x86_64-darwin)
     ffi (1.17.0-x86_64-linux-gnu)
     globalid (1.2.1)
       activesupport (>= 6.1)
+    hashdiff (1.1.0)
     i18n (1.14.5)
       concurrent-ruby (~> 1.0)
     importmap-rails (2.0.1)
@@ -131,6 +140,8 @@ GEM
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
     json (2.7.2)
+    jwt (2.8.2)
+      base64
     language_server-protocol (3.17.0.3)
     logger (1.6.0)
     loofah (2.22.0)
@@ -147,6 +158,8 @@ GEM
     minitest (5.24.1)
     msgpack (1.7.2)
     mutex_m (0.2.0)
+    net-http (0.4.1)
+      uri
     net-imap (0.4.14)
       date
       net-protocol
@@ -170,6 +183,7 @@ GEM
       ast (~> 2.4.1)
       racc
     pg (1.5.6)
+    prism (0.30.0)
     psych (5.1.2)
       stringio
     public_suffix (6.0.0)
@@ -198,6 +212,10 @@ GEM
       activesupport (= 7.1.3.4)
       bundler (>= 1.15.0)
       railties (= 7.1.3.4)
+    rails-controller-testing (1.0.5)
+      actionpack (>= 5.0.1.rc1)
+      actionview (>= 5.0.1.rc1)
+      activesupport (>= 5.0.1.rc1)
     rails-dom-testing (2.2.0)
       activesupport (>= 5.0.0)
       minitest
@@ -215,6 +233,8 @@ GEM
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.2.1)
+    rbs (3.5.2)
+      logger
     rdoc (6.7.0)
       psych (>= 4.0.0)
     regexp_parser (2.9.2)
@@ -254,6 +274,23 @@ GEM
       unicode-display_width (>= 2.4.0, < 3.0)
     rubocop-ast (1.31.3)
       parser (>= 3.3.1.0)
+    rubocop-performance (1.21.1)
+      rubocop (>= 1.48.1, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
+    rubocop-rails (2.25.1)
+      activesupport (>= 4.2.0)
+      rack (>= 1.1)
+      rubocop (>= 1.33.0, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
+    rubocop-rake (0.6.0)
+      rubocop (~> 1.0)
+    rubocop-rspec (3.0.3)
+      rubocop (~> 1.61)
+    ruby-lsp (0.17.9)
+      language_server-protocol (~> 3.17.0)
+      prism (>= 0.29.0, < 0.31)
+      rbs (>= 3, < 4)
+      sorbet-runtime (>= 0.5.10782)
     ruby-progressbar (1.13.0)
     rubyzip (2.3.2)
     sassc (2.4.0)
@@ -275,6 +312,7 @@ GEM
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
+    sorbet-runtime (0.5.11492)
     sprockets (4.2.1)
       concurrent-ruby (~> 1.0)
       rack (>= 2.2.4, < 4)
@@ -296,11 +334,16 @@ GEM
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
+    uri (0.13.0)
     web-console (4.2.1)
       actionview (>= 6.0.0)
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
+    webmock (3.23.1)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
     webrick (1.8.1)
     websocket (1.2.11)
     websocket-driver (0.7.6)
@@ -324,14 +367,22 @@ DEPENDENCIES
   codeclimate-test-reporter
   cssbundling-rails (~> 1.4)
   debug
+  faraday
   importmap-rails
   jbuilder
+  jwt
   pg
   puma (>= 5.0)
   rails (~> 7.1.3, >= 7.1.3.4)
+  rails-controller-testing
   rspec-rails
   rspec_junit_formatter
   rubocop
+  rubocop-performance
+  rubocop-rails
+  rubocop-rake
+  rubocop-rspec
+  ruby-lsp
   sassc-rails
   selenium-webdriver
   simplecov
@@ -340,6 +391,7 @@ DEPENDENCIES
   turbo-rails
   tzinfo-data
   web-console
+  webmock
 
 RUBY VERSION
    ruby 3.2.2p53

app/controllers/sessions_controller.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+class SessionsController < ApplicationController
+  before_action :check_error_result, :require_code_param, :exchange_token, only: [:result]
+
+  def new
+    # TODO: handle redirect to login page due to inactivity
+  end
+
+  def create
+    login_gov = LoginGov.new
+    redirect_to(login_gov.authorization_url, allow_other_host: true)
+  end
+
+  def delete
+    login_gov = LoginGov.new
+    # TODO: update user session status, clear out JWT
+    # TODO: add session duration to the security log
+    # TODO: delete session locally and Phoenix
+    redirect_to(login_gov.logout_url)
+  end
+
+  def result
+    # TODO: store the user_info in the session
+    # session[:user_info] = @login_userinfo
+  end
+
+  private
+
+  def check_error_result
+    return unless params[:error]
+
+    Rails.logger.error("Login.gov authentication error: #{params[:error]}")
+    flash[:error] = t("login_error")
+    redirect_to new_session_path
+  end
+
+  def require_code_param
+    return if params[:code].present?
+
+    Rails.logger.error("Login.gov unknown error")
+    flash[:error] = t("please_try_again")
+    redirect_to new_session_path
+  end
+
+  # Authenticates a user with login.gov using JWT
+  def exchange_token
+    login_gov = LoginGov.new
+    @login_userinfo = login_gov.exchange_token_from_auth_result(params[:code])
+    Rails.logger.debug do
+      "userinfo=#{@login_userinfo}"
+    end
+  rescue LoginGov::LoginApiError => e
+    Rails.logger.error("LoginGov::LoginApiError(#{e.message}) status(#{e.status_code}):\n#{e.response_body}")
+    flash[:error] = t("login_error")
+    redirect_to new_session_path
+  end
+end