diff --git a/Gemfile b/Gemfile index ccc2913..5de7f90 100644 --- a/Gemfile +++ b/Gemfile @@ -21,9 +21,13 @@ gem 'jbuilder' # Reduces boot times through caching; required in config/boot.rb gem 'bootsnap', '>= 1.4.2', require: false +gem 'lockbox' + +gem 'aws-sdk-s3', require: false +# gem 'airrecord' gem 'google-api-client' gem 'rack-cors' -gem "sentry-raven" +gem 'sentry-raven' group :development, :test do # Call 'byebug' anywhere in the code to stop execution and get a debugger console diff --git a/Gemfile.lock b/Gemfile.lock index 01fe03f..eabe759 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -58,6 +58,22 @@ GEM zeitwerk (~> 2.2) addressable (2.7.0) public_suffix (>= 2.0.2, < 5.0) + aws-eventstream (1.0.3) + aws-partitions (1.263.0) + aws-sdk-core (3.89.1) + aws-eventstream (~> 1.0, >= 1.0.2) + aws-partitions (~> 1, >= 1.239.0) + aws-sigv4 (~> 1.1) + jmespath (~> 1.0) + aws-sdk-kms (1.27.0) + aws-sdk-core (~> 3, >= 3.71.0) + aws-sigv4 (~> 1.1) + aws-sdk-s3 (1.60.1) + aws-sdk-core (~> 3, >= 3.83.0) + aws-sdk-kms (~> 1) + aws-sigv4 (~> 1.1) + aws-sigv4 (1.1.0) + aws-eventstream (~> 1.0, >= 1.0.2) bootsnap (1.4.6) msgpack (~> 1.0) builder (3.2.4) @@ -96,10 +112,12 @@ GEM concurrent-ruby (~> 1.0) jbuilder (2.10.0) activesupport (>= 5.0.0) + jmespath (1.4.0) jwt (2.2.1) listen (3.2.1) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) + lockbox (0.3.4) loofah (2.5.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) @@ -218,12 +236,14 @@ PLATFORMS ruby DEPENDENCIES + aws-sdk-s3 bootsnap (>= 1.4.2) byebug dotenv-rails google-api-client jbuilder listen + lockbox pg puma rack-cors diff --git a/README.md b/README.md index 3868adf..71621b9 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,10 @@ To use the application the Google API client needs to be configured using the fo You can get those from the [Google APIs Dashboard](https://console.developers.google.com/apis/dashboard) +Additionally an encryption master key needs to be configured. [lockbox](https://github.com/ankane/lockbox) is used to encrypt sensitive data (e.g. access_token) at rest. + +* LOCKBOX_MASTER_KEY + Store those in a `.env` file; see `env.example` for an example. ### Run the application diff --git a/app/assets/stylesheets/application.css.scss b/app/assets/stylesheets/application.css.scss index 4e958d3..8c523df 100644 --- a/app/assets/stylesheets/application.css.scss +++ b/app/assets/stylesheets/application.css.scss @@ -14,22 +14,32 @@ *= require_self */ @import "bulma/sass/utilities/initial-variables"; +@import url('https://fonts.googleapis.com/css2?family=Roboto:ital,wght@0,300;0,400;0,500;1,300;1,400&family=Lobster&family=Comfortaa:wght@400;500;600;700&display=swap'); -$family-sans-serif: "Helvetica", -"Arial", -sans-serif; -// https://coolors.co/06aed5-086788-f0c808-fff1d0-dd1c1a -$blue: #083d77; -$red: #dd1c1a; -$orange: #ee964b; -$yellow: #f4d35e; -$light: #f5fafe; // #ebebd3; +$family-sans-serif: 'Roboto', sans-serif; +$family-secondary: 'Comfortaa', cursive; +// // https://coolors.co/06aed5-086788-f0c808-fff1d0-dd1c1a +// $blue: #083d77; +// $red: #dd1c1a; +// $orange: #ee964b; +// $yellow: #f4d35e; +// $light: #f5fafe; // #ebebd3; +// $primary: $blue; +// $green: #007932; // hsl(141, 53%, 53%); +// $footer-background-color: $light; + +$blue: #4c82fc; $primary: $blue; -$green: #007932; // hsl(141, 53%, 53%); -$footer-background-color: $light; + +$text: $grey-dark; +$body-background-color: #FAFCFE; @import 'bulma/bulma'; -.card-height{ - min-height: 200px; +.is-font-logo { + font-family: 'Lobster', cursive; +} + +body { + min-height: 100vh; } \ No newline at end of file diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index e288f36..1be493f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,4 +1,5 @@ class ApplicationController < ActionController::Base + helper_method :current_user, :logged_in? def require_login redirect_to login_url unless current_user.present? diff --git a/app/controllers/file_uploads_controller.rb b/app/controllers/file_uploads_controller.rb new file mode 100644 index 0000000..8ad47cc --- /dev/null +++ b/app/controllers/file_uploads_controller.rb @@ -0,0 +1,8 @@ +class FileUploadsController < ApplicationController + def show + @form = Form.find_by!(token: params[:form_id]) + @submission = @form.submissions.find(params[:submission_id]) + @file_upload = @submission.files_attachments.find(params[:id]) + redirect_to url_for(@file_upload) + end +end diff --git a/app/controllers/forms_controller.rb b/app/controllers/forms_controller.rb index a3d57c0..92c2ece 100644 --- a/app/controllers/forms_controller.rb +++ b/app/controllers/forms_controller.rb @@ -1,7 +1,7 @@ require 'google/apis/sheets_v4' require 'google/api_client/client_secrets' class FormsController < ApplicationController - before_action :require_login + before_action :require_login, except: [:form] def new @form = current_user.forms.build @@ -25,6 +25,10 @@ class FormsController < ApplicationController end end + def form + @form = Form.find_by!(token: params[:id]) + end + private def form_params diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb index 66412fa..518a3eb 100644 --- a/app/controllers/submissions_controller.rb +++ b/app/controllers/submissions_controller.rb @@ -5,14 +5,18 @@ class SubmissionsController < ApplicationController def create @form = Form.find_by!(token: params[:form_id]) - @submission = @form.submissions.build(data: data_params) + # create a new submission object. we need a persisted submission to be able to process + # potential the data - to be able to create URLs to uploads which is added as link to the table + @submission = @form.submissions.create(remote_ip: request.remote_ip, referrer: request.referer) + # processes the submitted data and saves the submission + @submission.process_data(data_params) respond_to do |format| if @submission.save format.html { redirect_to(@form.thank_you_url) if @form.thank_you_url.present? } format.json { render(json: { success: true, data: @submission.data }) } else - format.html + format.html { redirect_to(@form.thank_you_url) if @form.thank_you_url.present? } format.json { render(json: { error: @submission.errors }, status: 422) } end end diff --git a/app/javascript/burger_menu.js b/app/javascript/burger_menu.js new file mode 100644 index 0000000..a37539d --- /dev/null +++ b/app/javascript/burger_menu.js @@ -0,0 +1,17 @@ +document.addEventListener('DOMContentLoaded', () => { + const $navbarBurgers = document.querySelectorAll('.navbar-burger'); + // Check if there are any navbar burgers + if ($navbarBurgers.length > 0) { + // Add a click event on each of them + $navbarBurgers.forEach(el => { + el.addEventListener('click', () => { + // Get the target from the "data-target" attribute + const target = el.dataset.target; + const $target = document.getElementById(target); + // Toggle the "is-active" class on both the "navbar-burger" and the "navbar-menu" + el.classList.toggle('is-active'); + $target.classList.toggle('is-active'); + }); + }); + } +}); diff --git a/app/javascript/packs/application.js b/app/javascript/packs/application.js index 9cd55d4..80561d9 100644 --- a/app/javascript/packs/application.js +++ b/app/javascript/packs/application.js @@ -8,10 +8,11 @@ require("turbolinks").start() require("@rails/activestorage").start() require("channels") +require('burger_menu'); // Uncomment to copy all static images under ../images to the output folder and reference // them with the image_pack_tag helper in views (e.g <%= image_pack_tag 'rails.png' %>) // or the `imagePath` JavaScript helper below. // // const images = require.context('../images', true) -// const imagePath = (name) => images(name, true) +// const imagePath = (name) => images(name, true) \ No newline at end of file diff --git a/app/jobs/submission_append_job.rb b/app/jobs/submission_append_job.rb new file mode 100644 index 0000000..096e5b0 --- /dev/null +++ b/app/jobs/submission_append_job.rb @@ -0,0 +1,16 @@ +class SubmissionAppendJob < ApplicationJob + queue_as :default + + rescue_from(Signet::AuthorizationError, Google::Apis::AuthorizationError) do |exception| + submission_id = self.arguments.first + Rails.logger.error("AuthorizationError during SubmissionAppend: submission_id=#{submission_id}") + submission = Submission.find(submission_id) + submission.form.deactivate!('AuthorizationError') + end + + def perform(*args) + submission_id = args.first + submission = Submission.find(submission_id) + submission.append_to_spreadsheet + end +end diff --git a/app/models/authentication.rb b/app/models/authentication.rb index 4195dc4..58fe264 100644 --- a/app/models/authentication.rb +++ b/app/models/authentication.rb @@ -1,6 +1,9 @@ class Authentication < ApplicationRecord belongs_to :user + encrypts :access_token + encrypts :refresh_token + def expired? expires_at <= Time.current end diff --git a/app/models/form.rb b/app/models/form.rb index 9752094..c70d3bd 100644 --- a/app/models/form.rb +++ b/app/models/form.rb @@ -11,6 +11,14 @@ class Form < ApplicationRecord validates_presence_of :title + def deactivate!(reason = nil) + self.user.deactivate!(reason) + end + + def active? + self.user.active? + end + def google_spreadsheet_url "https://docs.google.com/spreadsheets/d/#{google_spreadsheet_id}/edit" if google_spreadsheet_id.present? end diff --git a/app/models/submission.rb b/app/models/submission.rb index db3d510..899469c 100644 --- a/app/models/submission.rb +++ b/app/models/submission.rb @@ -1,19 +1,37 @@ class Submission < ApplicationRecord belongs_to :form - after_create :append_to_spreadsheet - validates_presence_of :data + has_many_attached :files - def data=(value) - sanitized_data = {} - value.each do |key, value| - sanitized_data[key] = submission_value(value) + validates_presence_of :data, if: :appended_at? + + def process_data(submitted_data) + processed_data = {} + submitted_data.each do |key, value| + processed_data[key] = submission_value_for(value) end - write_attribute(:data, sanitized_data) + update_attribute(:data, processed_data) + SubmissionAppendJob.perform_later(self.id) end - def submission_value(value) - if value.to_s.downcase == 'tinyforms_now' + def submission_value_for(value) + case value + when Array + value.join(', ') + when Hash + JSON.dump(value) + when 'tinyforms_now' Time.now.utc.to_formatted_s(:rfc822) + when ActionDispatch::Http::UploadedFile + # manually create the ActiveStorage attachment because we need the ID of the Attachment to create the URL + # first the file needs to be uplaoded then we can create an Attachment + # The CreateOne mainly handles the uplaod and the creation of the blob for us + # `files` is the name from `has_many_attached :files` + create_one = ActiveStorage::Attached::Changes::CreateOne.new('files', self, value) + create_one.upload + attachment = ActiveStorage::Attachment.new(record: self, name: 'files', blob: create_one.blob) + attachment.save + # return the URL that we use to show in the Spreadsheet + Rails.application.routes.url_helpers.file_upload_url(form_id: form, submission_id: self, id: attachment.id, host: DEFAULT_HOST) else value.to_s end diff --git a/app/models/user.rb b/app/models/user.rb index a9e3a7d..2918dc3 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -8,7 +8,12 @@ class User < ApplicationRecord user_info = oauth.get_userinfo if user = User.find_by(google_id: user_info.id) - return user, user.authentications.last + authentication = user.authentications.last + authentication.access_token = auth_client.access_token if auth_client.access_token.present? + authentication.refresh_token = auth_client.refresh_token if auth_client.refresh_token.present? + authentication.expires_at = Time.at(auth_client.expires_at) if auth_client.expires_at.present? + authentication.save + return user, authentication else user = User.create(name: user_info.name, email: user_info.email, google_id: user_info.id) authentication = user.authentications.create( @@ -20,6 +25,15 @@ class User < ApplicationRecord end end + def deactivate!(reason = nil) + # currently we only use deactivate if we get an authentication exception appending data to a spreadsheet + authentications.last&.update(expires_at: Time.current) + end + + def active? + authentications.last.present? && !authentications.last.expired? + end + def google_authorization authentications.last.google_authorization end diff --git a/app/views/forms/form.html.erb b/app/views/forms/form.html.erb new file mode 100644 index 0000000..b3f6ebb --- /dev/null +++ b/app/views/forms/form.html.erb @@ -0,0 +1,12 @@ +

<%= @form.title %>

+ +<%= form_with url: submission_url(@form), action: 'post', authenticity_token: false, local: true, html: { enctype: 'multipart/form-data' } do %> + <% @form.header_values.each do |header| %> +

+

+ <% end %> + + <%= submit_tag 'Send', name: nil %> +<% end %> diff --git a/app/views/home/index.html.erb b/app/views/home/index.html.erb index 2c2945f..5be9a9b 100644 --- a/app/views/home/index.html.erb +++ b/app/views/home/index.html.erb @@ -1,3 +1,12 @@ -

Welcome

- -<%= link_to "Login", login_url %> +
+
+
+

+ Welcome +

+

+ Generate forms instantly +

+
+
+
\ No newline at end of file diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index a3f2f45..3ef6a2f 100644 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -1,5 +1,6 @@ +<<<<<<< HEAD Tinyform <%= csrf_meta_tags %> @@ -15,3 +16,64 @@ +======= + + + Tinyform + <%= csrf_meta_tags %> + <%= csp_meta_tag %> + + + <%= stylesheet_link_tag 'application', media: 'all', 'data-turbolinks-track': 'reload' %> + <%= javascript_pack_tag 'application', 'data-turbolinks-track': 'reload' %> + + + + +
+ + +
+
+
+ +
+
+ +
+ <%= yield %> +
+
+ + + + + +>>>>>>> master diff --git a/config/environments/production.rb b/config/environments/production.rb index 6ac7045..51f2525 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -36,7 +36,7 @@ Rails.application.configure do # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX # Store uploaded files on the local file system (see config/storage.yml for options). - config.active_storage.service = :local + config.active_storage.service = :amazon # Mount Action Cable outside main process or domain. # config.action_cable.mount_path = nil diff --git a/config/initializers/host.rb b/config/initializers/host.rb new file mode 100644 index 0000000..e4d2eaa --- /dev/null +++ b/config/initializers/host.rb @@ -0,0 +1 @@ +DEFAULT_HOST = ENV['DEFAULT_HOST'] || 'localhost:3000' diff --git a/config/routes.rb b/config/routes.rb index 39fe148..5bc2fc6 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -2,10 +2,16 @@ Rails.application.routes.draw do # For details on the DSL available within this file, see https://guides.rubyonrails.org/routing.html resources :forms do + member { get :form } resources :submissions end + # short link for submission file uploads + get '/s/:form_id/:submission_id/:id' => 'file_uploads#show', as: :file_upload + # form post url to save new submissions post '/s/:form_id' => 'submissions#create', as: :submission + # short URL for form page + get '/s/:id/form' => 'forms#form', as: :form_submitter get '/login' => 'sessions#new', as: :login get '/logout' => 'sessions#destroy', as: :logout diff --git a/config/storage.yml b/config/storage.yml index d32f76e..64a4621 100644 --- a/config/storage.yml +++ b/config/storage.yml @@ -6,13 +6,13 @@ local: service: Disk root: <%= Rails.root.join("storage") %> -# Use rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key) -# amazon: -# service: S3 +# access keys and region are configured using environment variables +amazon: + service: S3 + bucket: <%= ENV['AWS_S3_BUCKET'] %> # access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %> # secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %> -# region: us-east-1 -# bucket: your_own_bucket +# region: ENV['AWS_REGION'] # Remember not to checkin your GCS keyfile to a repository # google: diff --git a/db/migrate/20200406221804_create_active_storage_tables.active_storage.rb b/db/migrate/20200406221804_create_active_storage_tables.active_storage.rb new file mode 100644 index 0000000..0b2ce25 --- /dev/null +++ b/db/migrate/20200406221804_create_active_storage_tables.active_storage.rb @@ -0,0 +1,27 @@ +# This migration comes from active_storage (originally 20170806125915) +class CreateActiveStorageTables < ActiveRecord::Migration[5.2] + def change + create_table :active_storage_blobs do |t| + t.string :key, null: false + t.string :filename, null: false + t.string :content_type + t.text :metadata + t.bigint :byte_size, null: false + t.string :checksum, null: false + t.datetime :created_at, null: false + + t.index [ :key ], unique: true + end + + create_table :active_storage_attachments do |t| + t.string :name, null: false + t.references :record, null: false, polymorphic: true, index: false + t.references :blob, null: false + + t.datetime :created_at, null: false + + t.index [ :record_type, :record_id, :name, :blob_id ], name: "index_active_storage_attachments_uniqueness", unique: true + t.foreign_key :active_storage_blobs, column: :blob_id + end + end +end diff --git a/db/migrate/20200408212150_add_lockbox_columns.rb b/db/migrate/20200408212150_add_lockbox_columns.rb new file mode 100644 index 0000000..05d0e49 --- /dev/null +++ b/db/migrate/20200408212150_add_lockbox_columns.rb @@ -0,0 +1,8 @@ +class AddLockboxColumns < ActiveRecord::Migration[6.0] + def change + add_column :authentications, :access_token_ciphertext, :text + add_column :authentications, :refresh_token_ciphertext, :text + remove_column :authentications, :access_token + remove_column :authentications, :refresh_token + end +end diff --git a/db/migrate/20200409001610_add_metadata_to_submissions.rb b/db/migrate/20200409001610_add_metadata_to_submissions.rb new file mode 100644 index 0000000..cb9faf4 --- /dev/null +++ b/db/migrate/20200409001610_add_metadata_to_submissions.rb @@ -0,0 +1,6 @@ +class AddMetadataToSubmissions < ActiveRecord::Migration[6.0] + def change + add_column :submissions, :remote_ip, :string + add_column :submissions, :referrer, :string + end +end diff --git a/db/schema.rb b/db/schema.rb index b1176f2..4e875ea 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -10,18 +10,39 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 2020_04_05_161905) do +ActiveRecord::Schema.define(version: 2020_04_09_001610) do # These are extensions that must be enabled in order to support this database enable_extension "plpgsql" + create_table "active_storage_attachments", force: :cascade do |t| + t.string "name", null: false + t.string "record_type", null: false + t.bigint "record_id", null: false + t.bigint "blob_id", null: false + t.datetime "created_at", null: false + t.index ["blob_id"], name: "index_active_storage_attachments_on_blob_id" + t.index ["record_type", "record_id", "name", "blob_id"], name: "index_active_storage_attachments_uniqueness", unique: true + end + + create_table "active_storage_blobs", force: :cascade do |t| + t.string "key", null: false + t.string "filename", null: false + t.string "content_type" + t.text "metadata" + t.bigint "byte_size", null: false + t.string "checksum", null: false + t.datetime "created_at", null: false + t.index ["key"], name: "index_active_storage_blobs_on_key", unique: true + end + create_table "authentications", force: :cascade do |t| t.integer "user_id" - t.string "access_token" - t.string "refresh_token" t.datetime "expires_at" t.datetime "created_at", precision: 6, null: false t.datetime "updated_at", precision: 6, null: false + t.text "access_token_ciphertext" + t.text "refresh_token_ciphertext" end create_table "forms", force: :cascade do |t| @@ -40,6 +61,8 @@ ActiveRecord::Schema.define(version: 2020_04_05_161905) do t.datetime "appended_at" t.datetime "created_at", precision: 6, null: false t.datetime "updated_at", precision: 6, null: false + t.string "remote_ip" + t.string "referrer" end create_table "users", force: :cascade do |t| @@ -50,4 +73,5 @@ ActiveRecord::Schema.define(version: 2020_04_05_161905) do t.datetime "updated_at", precision: 6, null: false end + add_foreign_key "active_storage_attachments", "active_storage_blobs", column: "blob_id" end diff --git a/env.example b/env.example index 3ace5a2..70b5e82 100644 --- a/env.example +++ b/env.example @@ -1,3 +1,4 @@ GOOGLE_CLIENT_ID=clientid GOOGLE_CLIENT_SECRET=secret GOOGLE_PROJECT_ID=projectid +LOCKBOX_MASTER_KEY=f7b18b63d3f7ec48fa78bab327cdf81b0969020f70dc16947b14572cde3e2b7d diff --git a/form.html b/form.html new file mode 100644 index 0000000..4611f99 --- /dev/null +++ b/form.html @@ -0,0 +1,30 @@ + + + + Tinyforms + + + + +

Test form

+
+ +

+ + +

+

+ + + + +

+

+ + +

+ +
+ + + diff --git a/package.json b/package.json index 2565492..e7e23f4 100644 --- a/package.json +++ b/package.json @@ -7,6 +7,7 @@ "@rails/ujs": "^6.0.0", "@rails/webpacker": "4.2.2", "bulma": "^0.8.1", + "bulma-helpers": "^0.3.10", "turbolinks": "^5.2.0" }, "version": "0.1.0", diff --git a/tinyforms_development b/tinyforms_development new file mode 100644 index 0000000..0544d39 Binary files /dev/null and b/tinyforms_development differ diff --git a/yarn.lock b/yarn.lock index 8c263bf..9956bd1 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1540,6 +1540,11 @@ builtin-status-codes@^3.0.0: resolved "https://registry.yarnpkg.com/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz#85982878e21b98e1c66425e03d0174788f569ee8" integrity sha1-hZgoeOIbmOHGZCXgPQF0eI9Wnug= +bulma-helpers@^0.3.10: + version "0.3.10" + resolved "https://registry.yarnpkg.com/bulma-helpers/-/bulma-helpers-0.3.10.tgz#a0ab518b44343bb708339ade721f7355d159a547" + integrity sha512-dgJB8LreVzAHJfcbYUUONA0oo/cdWxhFt1b/DlmTLaukYTjkdM5GP9A7DRyssjuRhcozIqzTm//BLLR313Xw3Q== + bulma@^0.8.1: version "0.8.1" resolved "https://registry.yarnpkg.com/bulma/-/bulma-0.8.1.tgz#a5feacb703b73a87fdeae4f0d12317d62fc1d301"