Add RemoteStorageAuthorization model

.env.example

@@ -7,8 +7,6 @@ SMTP_DOMAIN=example.com
 SMTP_AUTH_METHOD=plain
 SMTP_ENABLE_STARTTLS=auto
 
-REDIS_URL='redis://localhost:6379/1'
-
 LDAP_HOST=localhost
 LDAP_PORT=389
 LDAP_ADMIN_PASSWORD=passthebutter
@@ -20,6 +18,7 @@ DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
 GITEA_PUBLIC_URL='https://gitea.kosmos.org'
 MASTODON_PUBLIC_URL='https://kosmos.social'
 MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
+RS_STORAGE_URL='https://storage.kosmos.org'
 
 EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
 EJABBERD_API_URL='https://xmpp.kosmos.org/api'

.gitea/release-drafter.yml

@@ -1,13 +0,0 @@
-name-template: 'v$RESOLVED_VERSION'
-tag-template: 'v$RESOLVED_VERSION'
-version-resolver:
-  major:
-    labels:
-      - 'release/major'
-  minor:
-    labels:
-      - 'release/minor'
-  patch:
-    labels:
-      - 'release/patch'
-  default: patch

.gitea/workflows/release_drafter.yml

@@ -1,11 +0,0 @@
-name: Release Drafter
-on:
-  pull_request:
-    types: [closed]
-jobs:
-  release_drafter_job:
-    name: Update release notes draft
-    runs-on: ubuntu-latest
-    steps:
-      - name: Release Drafter
-        uses: https://github.com/raucao/gitea-release-drafter@dev

Dockerfile

@@ -1,13 +1,8 @@
 # syntax=docker/dockerfile:1
 FROM ruby:2.7.6
-
+RUN apt-get update -qq && apt-get install -y curl ldap-utils
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-
-RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
-      ldap-utils tini
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt-get update && apt-get install -y nodejs
-
 WORKDIR /akkounts
 COPY Gemfile /akkounts/Gemfile
 COPY Gemfile.lock /akkounts/Gemfile.lock
@@ -17,5 +12,11 @@ RUN gem install foreman
 RUN npm install -g yarn
 RUN yarn install
 
-ENTRYPOINT ["/usr/bin/tini", "--"]
+# Add a script to be executed every time the container starts.
+COPY docker/entrypoint.sh /usr/bin/
+RUN chmod +x /usr/bin/entrypoint.sh
+ENTRYPOINT ["entrypoint.sh"]
 EXPOSE 3000
+
+# Configure the main process to run when running the image
+CMD ["bin", "dev"]

Gemfile

@@ -48,10 +48,6 @@ gem 'faraday'
 gem 'sidekiq', '< 7'
 gem 'sidekiq-scheduler'
 
-# Monitoring
-gem "sentry-ruby"
-gem "sentry-rails"
-
 group :development, :test do
   # Use sqlite3 as the database for Active Record
   gem 'sqlite3', '~> 1.4'

Gemfile.lock

@@ -254,11 +254,6 @@ GEM
     ruby2_keywords (0.0.5)
     rufus-scheduler (3.8.2)
       fugit (~> 1.1, >= 1.1.6)
-    sentry-rails (5.8.0)
-      railties (>= 5.0)
-      sentry-ruby (~> 5.8.0)
-    sentry-ruby (5.8.0)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
     sidekiq (6.5.5)
       connection_pool (>= 2.2.2)
       rack (~> 2.0)
@@ -340,8 +335,6 @@ DEPENDENCIES
   rails-settings-cached (~> 2.8.3)
   rqrcode (~> 2.0)
   rspec-rails
-  sentry-rails
-  sentry-ruby
   sidekiq (< 7)
   sidekiq-scheduler
   sprockets-rails

README.md

@@ -14,7 +14,7 @@ so:
 
 1. Make sure [Docker Compose is installed][1] and Docker is running (included in
    Docker Desktop)
-2. Uncomment the `redis`, `web`, and `sidekiq` sections in `docker-compose.yml`
+2. Uncomment the `web` section in `docker-compose.yml`
 3. Run `docker compose up` and wait until 389ds announces its successful start
    in the log output
 4. `docker-compose exec ldap dsconf localhost backend create --suffix="dc=kosmos,dc=org" --be-name="dev"`

app/assets/stylesheets/components/links.css

@@ -5,4 +5,10 @@
     &:visited { @apply text-indigo-600; }
     &:active  { @apply text-red-600; }
   }
+
+  .devise-links {
+    a {
+      @apply ks-text-link;
+    }
+  }
 }

app/components/form_elements/toggle_component.html.erb

@@ -1,6 +1,6 @@
 <%= button_tag type: "button", name: "toggle", data: @data,
       role: "switch", aria: { checked: @enabled.to_s },
-      tabindex: @tabindex, disabled: !@input_enabled,
+      disabled: !@input_enabled,
       class: "#{ @enabled ? 'bg-blue-600' : 'bg-gray-200' }
               #{ @class_names.present? ? @class_names : '' }
               relative inline-flex h-6 w-11 flex-shrink-0 cursor-pointer

app/components/form_elements/toggle_component.rb

@@ -2,12 +2,11 @@
 
 module FormElements
   class ToggleComponent < ViewComponent::Base
-    def initialize(enabled:, input_enabled: true, data: nil, class_names: nil, tabindex: nil)
+    def initialize(enabled:, input_enabled: true, data: nil, class_names: nil)
       @enabled = !!enabled
       @input_enabled = input_enabled
       @data = data
       @class_names = class_names
-      @tabindex = tabindex
     end
   end
 end

app/controllers/application_controller.rb

@@ -3,18 +3,6 @@ class ApplicationController < ActionController::Base
     render :text => exception, :status => 500
   end
 
-  before_action :sentry_set_user
-
-  def sentry_set_user
-    return unless Setting.sentry_enabled
-
-    if user_signed_in?
-      Sentry.set_user(id: current_user.id, username: current_user.cn)
-    else
-      Sentry.set_user({})
-    end
-  end
-
   def require_user_signed_in
     unless user_signed_in?
       redirect_to welcome_path and return

app/controllers/rs/oauth_controller.rb

@@ -0,0 +1,130 @@
+class Rs::OauthController < ApplicationController
+  before_action :require_user_signed_in
+
+  def new
+    username, org  = params[:useraddress].split("@")
+    @user          = User.where(cn: username.downcase, ou: org).first
+    @scopes        = parse_scopes params[:scope]
+    @redirect_uri  = params[:redirect_uri]
+    @client_id     = params[:client_id]
+    @state         = params[:state]
+    @root_access_requested = (@scopes & [":r",":rw"]).any?
+
+    @denial_url = url_with_state("#{@redirect_uri}#error=access_denied", @state)
+
+    @expire_at_dates = [["Never", nil],
+                        ["In 1 month", 1.month.from_now],
+                        ["In 1 day", 1.day.from_now]]
+
+    http_status :bad_request and return unless @redirect_uri.present?
+
+    unless current_user == @user
+      sign_out :user
+
+      redirect_to new_rs_oauth_url(@user.address,
+                                   scope: params[:scope],
+                                   redirect_uri: params[:redirect_uri],
+                                   client_id: params[:client_id],
+                                   state: params[:state])
+      return
+    end
+
+    unless @client_id.present?
+      redirect_to url_with_state("#{@redirect_uri}#error=invalid_request", @state) and return
+    end
+
+    if @scopes.empty?
+      redirect_to url_with_state("#{@redirect_uri}#error=invalid_scope", @state) and return
+    end
+
+    unless hostname_of(@client_id) == hostname_of(@redirect_uri)
+      redirect_to url_with_state("#{@redirect_uri}#error=invalid_client", @state) and return
+    end
+
+    @client_id.gsub!(/http(s)?:\/\//, "")
+
+    # TODO
+    # if auth = current_user.remote_storage_authorizations.valid.where(permissions: @scopes, client_id: @client_id).first
+    #   redirect_to url_with_state("#{@redirect_uri}#access_token=#{auth.token}", @state), allow_other_host: true
+    # end
+  end
+
+  def create
+    unless current_user.id.to_s == params[:user_id]
+      Rails.logger.info("NO MATCH: #{params[:user_id]}, #{current_user.id}")
+      http_status :forbidden and return
+    end
+
+    permissions  = parse_scopes params[:scope]
+    redirect_uri = params[:redirect_uri].presence
+    client_id    = params[:client_id].presence
+    state        = params[:state].presence
+    expire_at    = params[:expire_at].presence
+
+    http_status :bad_request and return unless redirect_uri.present?
+
+    if permissions.empty?
+      redirect_to url_with_state("#{redirect_uri}#error=invalid_scope", state), allow_other_host: true and return
+    end
+
+    unless client_id.present?
+      redirect_to url_with_state("#{redirect_uri}#error=invalid_request", state), allow_other_host: true and return
+    end
+
+    unless hostname_of(client_id) == hostname_of(redirect_uri)
+      redirect_to url_with_state("#{redirect_uri}#error=invalid_client", state), allow_other_host: true and return
+    end
+
+    client_id.gsub!(/http(s)?:\/\//, "")
+
+    auth = current_user.remote_storage_authorizations.create!(
+      permissions: permissions,
+      client_id: client_id,
+      redirect_uri: redirect_uri,
+      app_name: client_id, #TODO use user-defined name
+      expire_at: expire_at
+    )
+
+    redirect_to url_with_state("#{redirect_uri}#access_token=#{auth.token}", state), allow_other_host: true
+  end
+
+  # GET /rs/oauth/token/:id/launch_app
+  def launch_app
+    auth = current_user.remote_storage_authorizations.find(params[:id])
+
+    redirect_to app_auth_url(auth)
+  end
+
+  private
+
+  def app_auth_url(auth)
+    url = "#{auth.url}#remotestorage=#{current_user.address}"
+    url += "&access_token=#{auth.token}"
+    url
+  end
+
+  def hostname_of(uri)
+    uri.gsub(/http(s)?:\/\//, "").split(":")[0].split("/")[0]
+  end
+
+  def parse_scopes(scope_string)
+    return [] if scope_string.blank?
+
+    scopes = scope_string.
+      gsub(/\[|\]/, "").
+      gsub(/\,/, " ").
+      gsub(/\/:/, ":").
+      split(/\s/).map(&:strip).
+      reject(&:empty?)
+
+    scopes = [":r"] if scopes.include?("*:r")
+    scopes = [":rw"] if scopes.include?("*:rw")
+
+    scopes
+  end
+
+  def url_with_state(url, state)
+    state ? "#{url}&state=#{CGI.escape(state)}" : url
+  end
+
+end

app/helpers/oauth_helper.rb

@@ -0,0 +1,11 @@
+module OauthHelper
+
+  def scope_name(scope)
+    scope.gsub(/(\:.+)/, '')
+  end
+
+  def scope_permissions(scope)
+    scope.match(/\:r$/) ? "r" : "rw"
+  end
+
+end

app/javascript/controllers/notification_controller.js

@@ -4,10 +4,6 @@ export default class extends Controller {
   static targets = ["buttons", "countdown"]
 
   connect() {
-    // Devise timeoutable ends up adding a second flash message without content
-    // TODO investigate bug
-    if (this.element.textContent.trim() == "true") return;
-
     const timeoutSeconds = parseInt(this.data.get("timeout"));
 
     setTimeout(() => {

app/models/remote_storage_authorization.rb

@@ -0,0 +1,32 @@
+class RemoteStorageAuthorization < ApplicationRecord
+  belongs_to :user
+
+  serialize :permissions
+
+  validates_presence_of :permissions
+  validates_presence_of :client_id
+
+  scope :valid, -> { where(expire_at: nil).or(where(expire_at: (DateTime.now)..)) }
+  scope :expired, -> { where(expire_at: ..(DateTime.now)) }
+
+  after_initialize do |a|
+    a.permisisons = [] if a.permissions == nil
+  end
+
+  before_create  :generate_token
+
+  def url
+    if self.redirect_uri
+      uri = URI.parse self.redirect_uri
+      "#{uri.scheme}://#{client_id}"
+    else
+      "http://#{client_id}"
+    end
+  end
+
+  private
+
+  def generate_token(length=16)
+    self.token = SecureRandom.hex(length) if self.token.blank?
+  end
+end

app/models/setting.rb

@@ -2,13 +2,6 @@
 class Setting < RailsSettings::Base
   cache_prefix { "v1" }
 
-  #
-  # Internal services
-  #
-
-  field :redis_url, type: :string, readonly: true,
-    default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
-
   #
   # Registrations
   #
@@ -17,13 +10,6 @@ class Setting < RailsSettings::Base
     account accounts donations mail webmaster support
   ]
 
-  #
-  # Sentry
-  #
-
-  field :sentry_enabled, type: :boolean, readonly: true,
-    default: (ENV["SENTRY_DSN"].present?.to_s || false)
-
   #
   # Discourse
   #
@@ -104,4 +90,14 @@ class Setting < RailsSettings::Base
   #
 
   field :nostr_enabled, type: :boolean, default: true
+
+  #
+  # RemoteStorage
+  #
+
+  field :remotestorage_enabled, type: :boolean,
+    default: (ENV["RS_STORAGE_URL"].present?.to_s || false)
+
+  field :rs_storage_url, type: :string,
+    default: ENV["RS_STORAGE_URL"].presence
 end

app/models/user.rb

@@ -14,6 +14,8 @@ class User < ApplicationRecord
 
   has_many :accounts, through: :lndhub_user
 
+  has_many :remote_storage_authorizations
+
   validates_uniqueness_of :cn
   validates_length_of :cn, :minimum => 3
   validates_format_of :cn, with: /\A([a-z0-9\-])*\z/,
@@ -38,9 +40,7 @@ class User < ApplicationRecord
   devise :ldap_authenticatable,
          :confirmable,
          :recoverable,
-         :validatable,
+         :validatable
-         :timeoutable,
-         :rememberable
 
   def ldap_before_save
     self.email = Devise::LDAP::Adapter.get_ldap_param(self.cn, "mail").first
@@ -65,10 +65,6 @@ class User < ApplicationRecord
     end
   end
 
-  def send_devise_notification(notification, *args)
-    devise_mailer.send(notification, self, *args).deliver_later
-  end
-
   def reset_password(new_password, new_password_confirmation)
     self.password = new_password
     self.password_confirmation = new_password_confirmation

app/views/admin/settings/services/_remotestorage.html.erb

@@ -0,0 +1,17 @@
+<h3>RemoteStorage</h3>
+<ul role="list">
+  <%= render FormElements::FieldsetToggleComponent.new(
+    form: f,
+    attribute: :remotestorage_enabled,
+    enabled: Setting.remotestorage_enabled?,
+    title: "Enable RemoteStorage integration",
+    description: "RemoteStorage configuration present and features enabled"
+  ) %>
+  <% if Setting.remotestorage_enabled? %>
+    <%= render FormElements::FieldsetComponent.new(title: "Storage URL") do %>
+      <%= f.text_field :rs_storage_url,
+        value: Setting.rs_storage_url,
+        class: "w-full", disabled: true %>
+    <% end %>
+  <% end %>
+</ul>

app/views/devise/sessions/new.html.erb

@@ -7,43 +7,19 @@
       <%= f.label :cn, 'User', class: 'block mb-2 font-bold' %>
       <p class="flex gap-2 items-center">
         <%= f.text_field :cn, autofocus: true, autocomplete: "username",
-              required: true, class: "relative grow", tabindex: "1" %>
+                              required: true, class: "relative grow"%>
         <span class="relative shrink-0 text-gray-500">@ kosmos.org</span>
       </p>
     </div>
-    <p class="mb-8">
+    <p>
       <%= f.label :password, class: 'block mb-2 font-bold' %>
       <%= f.password_field :password, autocomplete: "current-password",
-            required: true, class: "w-full", tabindex: "2" %>
+                                      required: true, class: "w-full"%>
     </p>
-
+    <p class="mt-8">
-    <%= tag.div class: "flex items-center mb-8 gap-x-3", data: {
+      <%= f.submit "Log in", class: 'btn-md btn-blue w-full' %>
-          controller: "settings--toggle",
-          :'settings--toggle-switch-enabled-value' => "false"
-        } do %>
-      <div class="relative inline-flex flex-shrink-0">
-        <%= render FormElements::ToggleComponent.new(
-              enabled: false, input_enabled: true, class_names: "hidden",
-              tabindex: "3", data: {
-                :'settings--toggle-target' => "button",
-                action: "settings--toggle#toggleSwitch"
-              }) %>
-        <%= f.check_box :remember_me, {
-              checked: false,
-              data: { :'settings--toggle-target' => "checkbox" }
-            }, "true", "false" %>
-      </div>
-      <%= f.label :remember_me,
-            class: "text-gray-500 flex flex-col",
-            data: { action: "click->settings--toggle#toggleSwitch" } %>
-      <p class="grow text-sm text-right">
-        <%= link_to "Forgot your password?", new_password_path(resource_name),
-              class: "text-gray-500 underline" %><br />
     </p>
   <% end %>
 
-    <p>
+  <%= render "devise/shared/links" %>
-      <%= f.submit "Log in", class: 'btn-md btn-blue w-full', tabindex: "4" %>
-    </p>
-  <% end %>
 <% end %>

app/views/devise/shared/_links.html.erb

@@ -1,29 +1,25 @@
 <div class="devise-links mt-8 text-sm">
   <%- if controller_name != 'sessions' %>
-    <p class="mb-2">
+    <p class="mb-1.5">
-      <%= link_to "Log in", new_session_path(resource_name),
+      <%= link_to "Log in", new_session_path(resource_name) %><br />
-            class: "text-gray-500 underline" %>
     </p>
   <% end %>
 
   <%- if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations' %>
-    <p class="mb-2">
+    <p class="mb-1.5">
-      <%= link_to "Forgot your password?", new_password_path(resource_name),
+      <%= link_to "Forgot your password?", new_password_path(resource_name) %><br />
-            class: "text-gray-500 underline" %>
     </p>
   <% end %>
 
-  <%- if devise_mapping.confirmable? && !controller_name.match(/^(confirmations|sessions)$/) %>
+  <%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
-    <p class="mb-2">
+    <p class="mb-1.5">
-      <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name),
+      <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
-            class: "text-gray-500 underline" %>
     </p>
   <% end %>
 
   <%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %>
-    <p class="mb-2">
+    <p class="mb-1.5">
-      <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name),
+      <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br />
-            class: "text-gray-500 underline" %>
     </p>
   <% end %>
 </div>

app/views/icons/_asterisk.html.erb

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 512 512" fill="currentColor" stroke="currentColor" stroke-width="2" class="<%= custom_class %>"><path d="M475.31 364.144L288 256l187.31-108.144c5.74-3.314 7.706-10.653 4.392-16.392l-4-6.928c-3.314-5.74-10.653-7.706-16.392-4.392L272 228.287V12c0-6.627-5.373-12-12-12h-8c-6.627 0-12 5.373-12 12v216.287L52.69 120.144c-5.74-3.314-13.079-1.347-16.392 4.392l-4 6.928c-3.314 5.74-1.347 13.079 4.392 16.392L224 256 36.69 364.144c-5.74 3.314-7.706 10.653-4.392 16.392l4 6.928c3.314 5.74 10.653 7.706 16.392 4.392L240 283.713V500c0 6.627 5.373 12 12 12h8c6.627 0 12-5.373 12-12V283.713l187.31 108.143c5.74 3.314 13.079 1.347 16.392-4.392l4-6.928c3.314-5.74 1.347-13.079-4.392-16.392z"/></svg>

app/views/icons/_folder.html.erb

@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-folder"><path d="M22 19a2 2 0 0 1-2 2H4a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h5l2 3h9a2 2 0 0 1 2 2z"></path></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-folder <%= custom_class %>"><path d="M22 19a2 2 0 0 1-2 2H4a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h5l2 3h9a2 2 0 0 1 2 2z"></path></svg>

app/views/rs/oauth/new.html.erb

@@ -0,0 +1,60 @@
+<%= render HeaderComponent.new(title: "App Authorization") %>
+
+<%= render MainSimpleComponent.new do %>
+  <section class="px-16 pb-8 mt-8">
+    <p class="text-lg mb-8">
+      The app
+      <%= link_to @client_id, "https://#{@client_id}", class: "ks-text-link" %>
+      is asking for access to these folders:
+    </p>
+
+    <p class="text-xl mb-8">
+      <% if @root_access_requested %>
+        <span class="text-red-700">
+          <span class="text-red-700">
+            <%= render partial: "icons/asterisk", locals: { custom_class: "inline-block align-middle mb-1" } %>
+            All files and directories
+          </span>
+          <% if (@scopes & [":r"]).any? %>
+            <span class="text-sm text-gray-500">(read only)</span>
+          <% end %>
+        </span>
+      <% else %>
+        <% @scopes.each do |scope| %>
+          <span class="text-gray-500">
+            <span>
+              <%= render partial: "icons/folder", locals: { custom_class: "inline-block align-middle mb-2" } %>
+              <%= scope_name(scope) %>
+            </span>
+            <% if scope_permissions(scope) == "r" %>
+              <span class="text-sm text-gray-500">(read only)</span>
+            <% end %>
+          </span>
+        <% end %>
+      <% end %>
+    </p>
+
+    <%= form_with(url: rs_oauth_path, method: :post, data: { turbo: false }) do |f| %>
+      <%= f.hidden_field :redirect_uri, value: @redirect_uri %>
+      <%= f.hidden_field :scope, value: @scopes.join(" ") %>
+      <%= f.hidden_field :user_id, value: @user.id %>
+      <%= f.hidden_field :client_id, value: @client_id %>
+      <%= f.hidden_field :state, value: @state %>
+      <p>
+        <%= f.label :expire_at, "Expire:" %>
+        <%= f.select :expire_at, options_for_select(@expire_at_dates) %>
+      </p>
+      <p class="text-sm text-gray-500 my-10">
+        You can revoke access for this app at any time on your storage dashboard.
+      </p>
+      <div>
+        <%= f.submit class: "btn-md btn-blue w-full sm:w-auto", data: { disable_with: "Saving..." } do %>
+          Allow
+        <% end %>
+        <%= link_to @denial_url, class: "btn-md btn-red w-full sm:w-auto" do %>
+          Deny
+        <% end %>
+      </div>
+    <% end %>
+  </section>
+<% end %>

app/views/shared/_admin_sidenav_settings_services.html.erb

@@ -47,3 +47,10 @@
   icon: Setting.nostr_enabled? ? "check" : "x",
   active: current_page?(admin_settings_services_path(params: { s: "nostr" })),
 ) %>
+<%= render SidenavLinkComponent.new(
+  level: 2,
+  name: "RemoteStorage",
+  path: admin_settings_services_path(params: { s: "remotestorage" }),
+  icon: Setting.remotestorage_enabled? ? "check" : "x",
+  active: current_page?(admin_settings_services_path(params: { s: "remotestorage" })),
+) %>

config/initializers/devise.rb

@@ -186,13 +186,13 @@ Devise.setup do |config|
 
   # ==> Configuration for :rememberable
   # The time the user will be remembered without asking for credentials again.
-  config.remember_for = 2.weeks
+  # config.remember_for = 2.weeks
 
   # Invalidates all the remember me tokens when the user signs out.
   config.expire_all_remember_me_on_sign_out = true
 
   # If true, extends the user's remember period when remembered via cookie.
-  config.extend_remember_period = true
+  # config.extend_remember_period = false
 
   # Options to be passed to the created cookie. For instance, you can set
   # secure: true in order to force SSL only cookies.
@@ -210,7 +210,7 @@ Devise.setup do |config|
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again. Default is 30 minutes.
-  config.timeout_in = 30.minutes
+  # config.timeout_in = 30.minutes
 
   # ==> Configuration for :lockable
   # Defines which strategy will be used to lock an account.

config/initializers/sentry.rb

@@ -1,9 +0,0 @@
-if ENV["SENTRY_DSN"].present?
-  Sentry.init do |config|
-    config.dsn = ENV["SENTRY_DSN"]
-    config.breadcrumbs_logger = [:active_support_logger, :http_logger]
-    config.traces_sampler = lambda do |context|
-      true
-    end
-  end
-end

config/initializers/sidekiq.rb

@@ -1,5 +0,0 @@
-require_relative "../../app/models/setting"
-
-Sidekiq.configure_server do |config|
-  config.redis = { url: Setting.redis_url }
-end

config/routes.rb

@@ -1,7 +1,7 @@
 require 'sidekiq/web'
 
 Rails.application.routes.draw do
-  devise_for :users, controllers: { confirmations: "users/confirmations" }
+  devise_for :users, :controllers => { :confirmations => "users/confirmations" }
 
   get 'welcome', to: 'welcome#index'
   get 'check_your_email', to: 'welcome#check_your_email'
@@ -54,6 +54,12 @@ Rails.application.routes.draw do
     end
   end
 
+  namespace :rs do
+    resource :oauth, only: [:new, :create], path_names: { new: ':useraddress' },
+      controller: 'oauth', constraints: { useraddress: /[^\/]+/}
+    get 'oauth/token/:id/launch_app' => 'oauth#launch_app', as: :launch_app
+  end
+
   authenticate :user, ->(user) { user.is_admin? } do
     mount Sidekiq::Web => '/sidekiq'
   end

config/sidekiq.yml

@@ -1,4 +1,3 @@
 :concurrency: 2
 :queues:
   - default
-  - mailers

db/migrate/20230312212030_create_remote_storage_authorizations.rb

@@ -0,0 +1,17 @@
+class CreateRemoteStorageAuthorizations < ActiveRecord::Migration[7.0]
+  def change
+    create_table :remote_storage_authorizations do |t|
+      t.references :user, null: false, foreign_key: true
+      t.string :token
+      t.text :permissions, array: true, default: [].to_yaml
+      t.string :client_id
+      t.string :redirect_uri
+      t.string :app_name
+      t.datetime :expire_at
+
+      t.timestamps
+    end
+
+    add_index :remote_storage_authorizations, :permissions, using: 'gin'
+  end
+end

db/migrate/20230319101128_add_remember_created_at_to_users.rb

@@ -1,6 +0,0 @@
-class AddRememberCreatedAtToUsers < ActiveRecord::Migration[7.0]
-  def change
-    add_column :users, :remember_created_at, :datetime
-    add_column :users, :remember_token, :string
-  end
-end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2023_03_19_101128) do
+ActiveRecord::Schema[7.0].define(version: 2023_03_12_212030) do
   create_table "donations", force: :cascade do |t|
     t.integer "user_id"
     t.integer "amount_sats"
@@ -34,6 +34,20 @@ ActiveRecord::Schema[7.0].define(version: 2023_03_19_101128) do
     t.index ["user_id"], name: "index_invitations_on_user_id"
   end
 
+  create_table "remote_storage_authorizations", force: :cascade do |t|
+    t.integer "user_id", null: false
+    t.string "token"
+    t.text "permissions", default: "--- []\n"
+    t.string "client_id"
+    t.string "redirect_uri"
+    t.string "app_name"
+    t.datetime "expire_at"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["permissions"], name: "index_remote_storage_authorizations_on_permissions"
+    t.index ["user_id"], name: "index_remote_storage_authorizations_on_user_id"
+  end
+
   create_table "settings", force: :cascade do |t|
     t.string "var", null: false
     t.text "value"
@@ -57,10 +71,9 @@ ActiveRecord::Schema[7.0].define(version: 2023_03_19_101128) do
     t.text "ln_login_ciphertext"
     t.text "ln_password_ciphertext"
     t.string "ln_account"
-    t.datetime "remember_created_at"
-    t.string "remember_token"
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
   end
 
+  add_foreign_key "remote_storage_authorizations", "users"
 end

docker-compose.yml

@@ -3,67 +3,11 @@ services:
     image: 4teamwork/389ds:latest
     volumes:
       - ./tmp/389ds:/data
-    networks:
-      - external_network
-      - internal_network
     ports:
       - "389:3389"
     environment:
       DS_DM_PASSWORD: passthebutter
       SUFFIX_NAME: "dc=kosmos,dc=org"
-
-  # redis:
-  #   restart: always
-  #   image: redis:7-alpine
-  #   networks:
-  #     - internal_network
-  #   healthcheck:
-  #     test: ['CMD', 'redis-cli', 'ping']
-  #   volumes:
-  #     - ./tmp/redis:/data
-
-  # web:
-  #   build: .
-  #   tty: true
-  #   command: bash -c "rm -f /akkounts/tmp/pids/server.pid; bin/dev"
-  #   volumes:
-  #     - .:/akkounts
-  #   networks:
-  #     - external_network
-  #     - internal_network
-  #   ports:
-  #     - "3000:3000"
-  #   environment:
-  #     RAILS_ENV: development
-  #     REDIS_URL: redis://redis:6379/0
-  #     LDAP_HOST: ldap
-  #     LDAP_PORT: 3389
-  #     LDAP_ADMIN_PASSWORD: passthebutter
-  #     LDAP_USE_TLS: "false"
-  #   depends_on:
-  #     - ldap
-  #     - redis
-
-  # sidekiq:
-  #   build: .
-  #   command: bash -c "bundle exec sidekiq -C config/sidekiq.yml"
-  #   volumes:
-  #     - .:/akkounts
-  #   networks:
-  #     - internal_network
-  #   environment:
-  #     RAILS_ENV: development
-  #     REDIS_URL: redis://redis:6379/0
-  #     LDAP_HOST: ldap
-  #     LDAP_PORT: 3389
-  #     LDAP_ADMIN_PASSWORD: passthebutter
-  #     LDAP_USE_TLS: "false"
-  #     LAUNCHY_DRY_RUN: true
-  #     BROWSER: /dev/null
-  #   depends_on:
-  #     - ldap
-  #     - redis
-
   # phpldapadmin:
   #   image: osixia/phpldapadmin:0.9.0
   #   ports:
@@ -72,8 +16,19 @@ services:
   #     PHPLDAPADMIN_HTTPS: false
   #     PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap': [{'server': [{'tls': False}, {'port': 3389}]}, {'login': [{'bind_id': 'cn=Directory Manager'}, {'bind_pass': 'passthebutter'}]}]}]"
   #     PHPLDAPADMIN_LDAP_CLIENT_TLS: false
-
+  # web:
-networks:
+  #   build: .
-  external_network:
+  #   tty: true
-  internal_network:
+  #   command: bash -c "sleep 5 && rm -f tmp/pids/server.pid && bin/dev"
-    internal: true
+  #   volumes:
+  #     - .:/akkounts
+  #   ports:
+  #     - "3000:3000"
+  #   environment:
+  #     RAILS_ENV: development
+  #     LDAP_HOST: ldap
+  #     LDAP_PORT: 3389
+  #     LDAP_ADMIN_PASSWORD: passthebutter
+  #     LDAP_USE_TLS: "false"
+  #   depends_on:
+  #     - ldap

docker/entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+# Remove a potentially pre-existing server.pid for Rails.
+rm -f /myapp/tmp/pids/server.pid
+
+# Then exec the container's main process (what's set as CMD in the Dockerfile).
+exec "$@"

package.json

@@ -11,7 +11,7 @@
     "postcss-preset-env": "^7.8.3",
     "tailwindcss": "^3.2.4"
   },
-  "version": "0.5.0",
+  "version": "0.4.0",
   "scripts": {
     "build:css:tailwind": "tailwindcss --postcss -i ./app/assets/stylesheets/application.tailwind.css -o ./app/assets/builds/application.css",
     "build:css": "yarn run build:css:tailwind"