Login system improvements

- Allow password change
- Allow terminating all sessions associated with an user
- Check database for non-persistent sessions as well, improving security
    (ending sessions used to take effect only later)
- Add rake tasks to clear all expired and logged-out sessions

app/controllers/dashboard_controller.rb

@@ -16,9 +16,14 @@ class DashboardController < ApplicationController
       .paginate(page: params[:nrpage], per_page: 5)
   end
 
-  def settings
+  def set_settings_params!
     @person = current_person
     @send_attendance_reminder = @person.send_attendance_reminder
+    @active_sessions = Session.where(user: current_user).where(active: true).where('expires > ?', Time.now).count
+  end
+
+  def settings
+    set_settings_params!
   end
 
   def update_email_settings
@@ -29,4 +34,53 @@ class DashboardController < ApplicationController
     flash_message(:success, t('settings.saved'))
     redirect_to root_path
   end
+
+  def logout_all_sessions
+    u = current_user
+
+    u.logout_all_sessions!
+    log_out
+
+    redirect_to login_path
+  end
+
+  def update_password
+    u = current_user
+
+    current = params[:current_password]
+    new = params[:new_password]
+    confirm = params[:new_password_confirm]
+
+    if !u.authenticate(current)
+      flash_message(:danger, t('authentication.invalid_pass'))
+      redirect_to settings_path
+      return
+    end
+
+    if new.blank?
+      flash_message(:danger, t('authentication.password_blank'))
+      redirect_to settings_path
+      return
+    end
+
+    if new != confirm
+      flash_message(:danger, t('authentication.password_repeat_mismatch'))
+      redirect_to settings_path
+      return
+    end
+
+    u.password = new
+    u.password_confirmation = confirm
+    if u.save
+      flash_message(:success, t('authentication.password_changed'))
+      u.logout_all_sessions!
+      log_out
+      redirect_to login_path
+      return
+    else
+      flash_message(:danger, t(:somethingbroke))
+      Rails.logger.error('Password change failure')
+      redirect_to settings_path
+    end
+  end
 end

app/helpers/authentication_helper.rb

@@ -33,6 +33,8 @@ module AuthenticationHelper
           value: s.id,
           httponly: true
         }
+      else
+        session[:session_id] = s.id
       end
     end
   end
@@ -58,6 +60,10 @@ module AuthenticationHelper
     # We verify that the session hasn't expired yet.
     if session[:user_id] && session[:expires].to_time > DateTime.now
 
+      get_user_session
+
+      return false if !@user_session.active || @user_session.expires < Time.now
+
       return true
 
     else
@@ -92,9 +98,8 @@ module AuthenticationHelper
     if @user_session
       @user_session
     else
-      @user_session ||= Session.find(
-        cookies.signed.permanent[:session_id]
-      )
+      id = cookies.signed.permanent[:session_id] || session[:session_id]
+      @user_session ||= Session.find(id)
     end
 
     # Edge case if a session no longer exists in the database

app/models/user.rb

@@ -18,6 +18,13 @@ class User < ApplicationRecord
 
   before_validation :email_same_as_person
 
+  # Set all sessions associated with this User to inactive, for instance after
+  # a password change, or when the user selects this options in the Settings.
+  def logout_all_sessions!
+    sessions = Session.where(user: self)
+    sessions.update_all(active: false)
+  end
+
   private
   # Assert that the user's email address is the same as the email address of
   # the associated Person.

app/views/dashboard/settings.html.haml

@@ -7,7 +7,6 @@
 = form_tag(update_email_settings_path, method: "post", class: "form") do
   .row
     .col-md-4
-      -#= hidden_field_tag(:send_attendance_reminder, "off")
       %label
         = check_box_tag(:send_attendance_reminder, 'send_attendance_reminder', @send_attendance_reminder)
         = t('settings.names.send_attendance_reminder')
@@ -15,4 +14,30 @@
       %p
         %em= t 'settings.descriptions.send_attendance_reminder'
 
-  = submit_tag t('helpers.submit.submit', model: t('settings.settings'))
+  = submit_tag t('helpers.submit.submit', model: t('settings.settings')), class: 'btn btn-primary'
+
+%h2
+  = t 'settings.logout_all_sessions'
+
+%p
+  %em= t 'settings.descriptions.logout_all_sessions'
+
+%p
+  = t 'settings.descriptions.logged_in_at_count', count: @active_sessions
+
+= form_tag(logout_all_path, method: 'post', class: 'form') do
+  = submit_tag t('settings.logout_all_sessions'), class: 'btn btn-danger', data: {confirm: t(:areyousure)}
+%h2
+  = t 'settings.change_password'
+
+= form_tag(update_password_path, method: 'post', class: 'form') do
+  .form-group
+    = label_tag(:current_password, t('authentication.current_password'))
+    = password_field_tag(:current_password, '', class: 'form-control')
+  .form-group
+    = label_tag(:new_password, t('authentication.new_password'))
+    = password_field_tag(:new_password, '', class: 'form-control')
+  .form-group
+    = label_tag(:new_password_confirm, t('authentication.new_password_confirm'))
+    = password_field_tag(:new_password_confirm, '', class: 'form-control')
+  = submit_tag t('settings.change_password'), class: 'btn btn-primary'

config/locales/aardbei_en.yml

@@ -38,6 +38,8 @@ en:
   send_email: "Send email"
   overview: "Overzicht"
 
+  somethingbroke: "Something broke!"
+
   areyousure: "Are you sure?"
 
   value_required: "A required value was omitted."

config/locales/aardbei_nl.yml

@@ -19,6 +19,8 @@ nl:
 
   areyousure: "Weet je het zeker?"
 
+  somethingbroke: "Er is iets misgegaan!"
+
   value_required: "Een verplichte vraag was leeg."
 
   invalid_csrf: "Ongeldig authenticiteitstoken! Als je hier terecht bent gekomen na het klikken op een link is het mogelijk dat iemand iets naars probeerde!"

config/locales/authentication/en.yml

@@ -8,6 +8,7 @@ en:
     please_sign_in: "Please sign in"
     remember_me: "Remember me"
 
+    current_password: "Current password"
     new_password: "New password"
     new_password_confirm: "Confirm new password"
 
@@ -17,6 +18,7 @@ en:
     invalid_token: "Invalid token!"
     expired_token: "Your token has expired, please request another one."
     invalid_user_or_pass: "Invalid username/password combination!"
+    invalid_pass: "Your current password is incorrect." # In settings only
     login_required: "You need to be logged in to do that."
     admin_required: "You need to be an administrator to do that."
     organizer_required: "You need to be an organizer to do that."
@@ -26,7 +28,9 @@ en:
     password_repeat_mismatch: "Password confirmation does not match your password!"
     activation_complete: "Your account has been confirmed, you may now log in."
     password_reset_complete: "Your password has been reset, you may now log in."
+    password_changed: "Your password has been changed!"
     user_person_mail_mismatch: "must be the same as associated person's email"
+    password_blank: "Your password cannot be blank."
 
     emails:
       sent: "An email has been sent, check your inbox!"

config/locales/authentication/nl.yml

@@ -8,6 +8,7 @@ nl:
     please_sign_in: "Log eerst in"
     remember_me: "Onthouden"
 
+    current_password: "Huidig wachtwoord"
     new_password: "Nieuw wachtwoord"
     new_password_confirm: "Herhaal nieuw wachtwoord"
 
@@ -16,6 +17,7 @@ nl:
     unknown_email: "Onbekend e-mailadres."
     invalid_token: "Ongeldig token!"
     expired_token: "Je token is verlopen, vraag een nieuwe aan."
+    invalid_pass: "Je huidige wachtwoord is onjuist."
     invalid_user_or_pass: "Gebruikersnaam en/of wachtwoord onjuist."
     login_required: "Je moet eerst inloggen."
     admin_required: "Je moet een beheerder zijn om dat te doen."
@@ -26,7 +28,9 @@ nl:
     password_repeat_mismatch: "Je hebt niet twee keer hetzelfde wachtwoord ingevuld!"
     activation_complete: "Je account is geactiveerd, je kunt nu inloggen."
     password_reset_complete: "Je wachtwoord is opnieuw ingesteld, je kunt nu inloggen."
+    password_changed: "Je wachtwoord is veranderd!"
     user_person_mail_mismatch: "moet hetzelfde zijn als het emailadres van de verbonden persoon"
+    password_blank: "Je wachtwoord kan niet leeg zijn."
 
     emails:
       sent: "Mail verstuurd!"

config/locales/settings_en.yml

@@ -3,6 +3,7 @@ en:
     settings: "Preferences"
     saved: "Preferences saved!"
     email_settings: "Email notifications"
+    change_password: "Change password"
 
     names:
       send_attendance_reminder: "Send notification on auto-respond"

config/locales/settings_nl.yml

@@ -3,9 +3,13 @@ nl:
     settings: "Instellingen"
     saved: "Instellingen opgeslagen!"
     email_settings: "Emailnotificaties"
+    change_password: "Wachtwoord veranderen"
+    logout_all_sessions: "Overal afmelden"
 
     names:
       send_attendance_reminder: "Stuur een herinnering bij niet gereageerd"
 
     descriptions:
       send_attendance_reminder: "Ontvang een email als je niet hebt gereageerd op een activiteit en je reactie automatisch op 'aanwezig' wordt gezet. Wanneer je deze herinnering ontvangt is het nog mogelijk om je reactie aan te passen."
+      logout_all_sessions: "Deze knop indrukken zorgt ervoor dat je overal je wachtwoord opnieuw moet invoeren. Dit gebeurt ook als je je wachtwoord verandert."
+      logged_in_at_count: "Je hebt op het moment %{count} actieve sessie(s)."

config/routes.rb

@@ -4,6 +4,8 @@ Rails.application.routes.draw do
   root to: 'dashboard#home'
   get 'settings', to: 'dashboard#settings', as: :settings
   post 'settings', to: 'dashboard#update_email_settings', as: :update_email_settings
+  post 'update_password', to: 'dashboard#update_password', as: :update_password
+  post 'logout_all', to: 'dashboard#logout_all_sessions', as: :logout_all
 
   get  'login', to: 'authentication#login_form', as: :login
   post 'login', to: 'authentication#login'

lib/tasks/sessions.rake

@@ -0,0 +1,10 @@
+namespace :sessions do
+  desc "Clean all expired sessions from the database"
+  task :clean => :environment do
+    expired = Session.where('sessions.expires < ?', Time.zone.now)
+    deactivated = Session.where(active: false)
+    puts "Cleaning #{expired.count} expired, #{deactivated.count} deactivated sessions."
+    expired.destroy_all
+    deactivated.destroy_all
+  end
+end