adminbruno
/
docuseal
mirror of https://github.com/docusealco/docuseal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into CP-10361

Browse Source
pull/544/head
Bernardo Anderson 4 months ago committed by GitHub
parent 6a90ea81ec 669fcf8b5b
commit d4a0dd379a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
55 changed files with 2149 additions and 89 deletions
Show Stats Download Patch File Download Diff File

2
.env.development
Unescape View File

@ -3,4 +3,4 @@ DB_PASSWORD=postgres
DB_PORT=5432
DB_USERNAME=postgres
REDIS_URL=redis://host.docker.internal:6379/7
PORT=3000
PORT=3001

15
.env.production
Unescape View File

@ -0,0 +1,15 @@
DB_HOST=
DB_POOL=25
DB_PORT=5432
DB_SSLCERT=/config/rds-combined-ca-bundle.pem
DB_SSLMODE=verify-full
REDIS_URL=
PORT=3000
S3_ATTACHMENTS_BUCKET=
ACTIVE_STORAGE_PUBLIC=true
FORCE_SSL=true
AIRBRAKE_ID=
AIRBRAKE_KEY=
NEWRELIC_LICENSE_KEY=
NEWRELIC_APP_NAME=
WEB_CONCURRENCY=2

6
.env.staging
Unescape View File

@ -8,3 +8,9 @@ PORT=3000
S3_ATTACHMENTS_BUCKET=
ACTIVE_STORAGE_PUBLIC=true
FORCE_SSL=true
AIRBRAKE_ID=
AIRBRAKE_KEY=
NEWRELIC_LICENSE_KEY=
NEWRELIC_APP_NAME=
NEWRELIC_MONITOR_MODE=
WEB_CONCURRENCY=2

1
Dockerfile
Unescape View File

@ -79,6 +79,7 @@ COPY ./tmp ./tmp
COPY LICENSE README.md Rakefile config.ru .version ./
COPY .version ./public/version
COPY ./.env.staging ./.env.staging
COPY ./.env.production ./.env.production
COPY ./config/rds-combined-ca-bundle.pem /config/rds-combined-ca-bundle.pem
COPY --from=download /fonts/GoNotoKurrent-Regular.ttf /fonts/GoNotoKurrent-Bold.ttf /fonts/DancingScript-Regular.otf /fonts/OFL.txt /fonts

3
Gemfile
Unescape View File

@ -44,6 +44,9 @@ gem 'turbo-rails'
gem 'twitter_cldr', require: false
gem 'tzinfo-data'
gem 'airbrake'
gem 'newrelic_rpm'
group :development, :test do
gem 'better_html'
gem 'bullet'

8
Gemfile.lock
Unescape View File

@ -74,6 +74,10 @@ GEM
uri (>= 0.13.1)
addressable (2.8.7)
public_suffix (>= 2.0.2, < 7.0)
airbrake (13.0.5)
airbrake-ruby (~> 6.0)
airbrake-ruby (6.2.2)
rbtree3 (~> 0.6)
annotaterb (4.14.0)
arabic-letter-connector (0.1.1)
ast (2.4.2)
@ -336,6 +340,7 @@ GEM
timeout
net-smtp (0.5.0)
net-protocol
newrelic_rpm (9.17.0)
nio4r (2.7.4)
nokogiri (1.18.8)
mini_portile2 (~> 2.8.2)
@ -433,6 +438,7 @@ GEM
zeitwerk (~> 2.6)
rainbow (3.1.1)
rake (13.2.1)
rbtree3 (0.7.1)
rdoc (6.10.0)
psych (>= 4.0.0)
redis-client (0.23.0)
@ -588,6 +594,7 @@ PLATFORMS
x86_64-linux-musl
DEPENDENCIES
airbrake
annotaterb
arabic-letter-connector
aws-sdk-s3
@ -618,6 +625,7 @@ DEPENDENCIES
jwt
letter_opener_web
lograge
newrelic_rpm
oj
pagy
pg

2
app/controllers/api/active_storage_blobs_proxy_controller.rb
Unescape View File

@ -4,7 +4,7 @@ module Api
class ActiveStorageBlobsProxyController < ApiBaseController
include ActiveStorage::Streaming
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
before_action :set_cors_headers

2
app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb
Unescape View File

@ -4,7 +4,7 @@ module Api
class ActiveStorageBlobsProxyLegacyController < ApiBaseController
include ActiveStorage::Streaming
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
before_action :set_cors_headers

4
app/controllers/api/api_base_controller.rb
Unescape View File

@ -12,7 +12,7 @@ module Api
wrap_parameters false
before_action :authenticate_user!
before_action :authenticate_via_token!
check_authorization
rescue_from Params::BaseValidator::InvalidParameterError do |e|
@ -81,7 +81,7 @@ module Api
result
end
def authenticate_user!
def authenticate_via_token!
render json: { error: 'Not authenticated' }, status: :unauthorized unless current_user
end

32
app/controllers/api/external_auth_controller.rb
Unescape View File

@ -0,0 +1,32 @@
# frozen_string_literal: true
module Api
class ExternalAuthController < Api::ApiBaseController
skip_before_action :authenticate_via_token!
skip_authorization_check
def user_token
account = Account.find_or_create_by_external_id(
params[:account][:external_id]&.to_i,
name: params[:account][:name],
locale: params[:account][:locale] || 'en-US',
timezone: params[:account][:timezone] || 'UTC'
)
user = User.find_or_create_by_external_id(
account,
params[:user][:external_id]&.to_i,
email: params[:user][:email],
first_name: params[:user][:first_name],
last_name: params[:user][:last_name],
role: 'admin'
)
render json: { access_token: user.access_token.token }
rescue StandardError => e
Rails.logger.error("External auth error: #{e.message}")
Rollbar.error(e) if defined?(Rollbar)
render json: { error: 'Internal server error' }, status: :internal_server_error
end
end
end

2
app/controllers/api/submitter_email_clicks_controller.rb
Unescape View File

@ -2,7 +2,7 @@
module Api
class SubmitterEmailClicksController < ApiBaseController
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
def create

2
app/controllers/api/submitter_form_views_controller.rb
Unescape View File

@ -2,7 +2,7 @@
module Api
class SubmitterFormViewsController < ApiBaseController
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
def create

60
app/controllers/application_controller.rb
Unescape View File

@ -6,14 +6,12 @@ class ApplicationController < ActionController::Base
include ActiveStorage::SetCurrent
include Pagy::Backend
before_action :ensure_demo_user_signed_in
check_authorization unless: :devise_controller?
around_action :with_locale
# before_action :sign_in_for_demo, if: -> { Docuseal.demo? }
before_action :maybe_redirect_to_setup, unless: :signed_in?
before_action :authenticate_user!, unless: :devise_controller?
before_action :maybe_authenticate_via_token
before_action :authenticate_via_token!, unless: :devise_controller?
helper_method :button_title,
:current_account,
@ -102,34 +100,42 @@ class ApplicationController < ActionController::Base
current_user&.account
end
def maybe_redirect_to_setup
# Skip setup redirect for iframe embedding - create demo user instead
return if ensure_demo_user_signed_in
def maybe_authenticate_via_token
return if signed_in?
redirect_to setup_index_path unless User.exists?
end
# Check for token in params, session, or X-Auth-Token header
token = params[:auth_token] || session[:auth_token] || request.headers['X-Auth-Token']
return if token.blank?
# Try to find user by token and sign them in
sha256 = Digest::SHA256.hexdigest(token)
user = User.joins(:access_token).active.find_by(access_token: { sha256: sha256 })
def ensure_demo_user_signed_in
return true if signed_in?
return unless user
user = find_or_create_demo_user
sign_in(user)
true
end
def find_or_create_demo_user
User.find_by(email: 'demo@docuseal.local') || begin
account = Account.create!(name: 'Demo Account', locale: 'en', timezone: 'UTC')
User.create!(
email: 'demo@docuseal.local',
password: 'password123',
password_confirmation: 'password123',
first_name: 'Demo',
last_name: 'User',
account: account,
role: 'admin'
)
session[:auth_token] = token
end
# Enhanced authentication that tries token auth and fails with error if no user found
# Use this when you need to enforce authentication with better token handling
def authenticate_via_token!
return if signed_in?
token = params[:auth_token] || session[:auth_token] || request.headers['X-Auth-Token']
if token.present?
sha256 = Digest::SHA256.hexdigest(token)
user = User.joins(:access_token).active.find_by(access_token: { sha256: sha256 })
if user
sign_in(user)
session[:auth_token] = token
return
end
end
render json: { error: 'Authentication required. Please provide a valid auth_token.' }, status: :unauthorized
end
def button_title(title: I18n.t('submit'), disabled_with: I18n.t('submitting'), title_class: '', icon: nil,

37
app/controllers/concerns/iframe_authentication.rb
Unescape View File

@ -0,0 +1,37 @@
# frozen_string_literal: true
module IframeAuthentication
extend ActiveSupport::Concern
private
# Custom authentication for iframe context
# AJAX requests from Vue components don't include the auth token that's in the iframe URL,
# so we extract it from the HTTP referer header as a fallback
def authenticate_from_referer
return if signed_in?
token = params[:auth_token] || session[:auth_token] || request.headers['X-Auth-Token']
# If no token found, extract from referer URL (iframe page has the token)
if token.blank? && request.referer.present?
referer_uri = URI.parse(request.referer)
referer_params = CGI.parse(referer_uri.query || '')
token = referer_params['auth_token']&.first
end
if token.present?
sha256 = Digest::SHA256.hexdigest(token)
user = User.joins(:access_token).active.find_by(access_token: { sha256: sha256 })
return unless user
sign_in(user)
session[:auth_token] = token
return
end
Rails.logger.error "#{self.class.name}: Authentication failed"
render json: { error: 'Authentication required' }, status: :unauthorized
end
end

2
app/controllers/console_redirect_controller.rb
Unescape View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class ConsoleRedirectController < ApplicationController
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
def index

2
app/controllers/dashboard_controller.rb
Unescape View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class DashboardController < ApplicationController
skip_before_action :authenticate_user!, only: %i[index]
skip_before_action :authenticate_via_token!, only: %i[index]
before_action :maybe_redirect_product_url
before_action :maybe_render_landing

2
app/controllers/enquiries_controller.rb
Unescape View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class EnquiriesController < ApplicationController
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
def create

1
app/controllers/export_controller.rb
Unescape View File

@ -4,7 +4,6 @@ require 'faraday'
class ExportController < ApplicationController
skip_authorization_check
skip_before_action :maybe_redirect_to_setup
skip_before_action :verify_authenticity_token
# Send template to third party.

2
app/controllers/send_submission_email_controller.rb
Unescape View File

@ -3,7 +3,7 @@
class SendSubmissionEmailController < ApplicationController
layout 'form'
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_before_action :verify_authenticity_token
skip_authorization_check

3
app/controllers/setup_controller.rb
Unescape View File

@ -1,8 +1,7 @@
# frozen_string_literal: true
class SetupController < ApplicationController
skip_before_action :maybe_redirect_to_setup
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
before_action :redirect_to_root_if_signed, if: :signed_in?

2
app/controllers/start_form_controller.rb
Unescape View File

@ -3,7 +3,7 @@
class StartFormController < ApplicationController
layout 'form'
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
around_action :with_browser_locale, only: %i[show completed]

2
app/controllers/submissions_debug_controller.rb
Unescape View File

@ -3,7 +3,7 @@
class SubmissionsDebugController < ApplicationController
layout 'plain'
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
def index

2
app/controllers/submissions_download_controller.rb
Unescape View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class SubmissionsDownloadController < ApplicationController
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
TTL = 40.minutes

2
app/controllers/submissions_preview_controller.rb
Unescape View File

@ -2,7 +2,7 @@
class SubmissionsPreviewController < ApplicationController
around_action :with_browser_locale
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
prepend_before_action :maybe_redirect_com, only: %i[show completed]

2
app/controllers/submit_form_controller.rb
Unescape View File

@ -4,7 +4,7 @@ class SubmitFormController < ApplicationController
layout 'form'
around_action :with_browser_locale, only: %i[show completed success]
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
skip_before_action :verify_authenticity_token, only: :update

2
app/controllers/submit_form_decline_controller.rb
Unescape View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class SubmitFormDeclineController < ApplicationController
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
def create

2
app/controllers/submit_form_download_controller.rb
Unescape View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class SubmitFormDownloadController < ApplicationController
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
FILES_TTL = 5.minutes

2
app/controllers/submit_form_draw_signature_controller.rb
Unescape View File

@ -4,7 +4,7 @@ class SubmitFormDrawSignatureController < ApplicationController
layout false
around_action :with_browser_locale, only: %i[show]
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
def show

2
app/controllers/submit_form_invite_controller.rb
Unescape View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class SubmitFormInviteController < ApplicationController
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
def create

2
app/controllers/submit_form_values_controller.rb
Unescape View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class SubmitFormValuesController < ApplicationController
skip_before_action :authenticate_user!
skip_before_action :authenticate_via_token!
skip_authorization_check
def index

10
app/controllers/submitters_request_changes_controller.rb
Unescape View File

@ -1,8 +1,12 @@
# frozen_string_literal: true
class SubmittersRequestChangesController < ApplicationController
before_action :load_submitter
include IframeAuthentication
skip_before_action :verify_authenticity_token, only: :request_changes
skip_before_action :authenticate_via_token!, only: :request_changes
before_action :authenticate_from_referer, only: :request_changes
before_action :load_submitter
def request_changes
if request.get? || request.head?
@ -48,9 +52,9 @@ class SubmittersRequestChangesController < ApplicationController
end
def can_request_changes?
# Only the user who created the submission can request changes
# Only the template author (manager) can request changes from submitters
# Only for completed submissions that haven't been declined
current_user == @submitter.submission.created_by_user &&
current_user == @submitter.submission.template.author &&
@submitter.completed_at? &&
!@submitter.declined_at? &&
!@submitter.changes_requested_at?

7
app/controllers/template_documents_controller.rb
Unescape View File

@ -1,8 +1,13 @@
# frozen_string_literal: true
class TemplateDocumentsController < ApplicationController
include IframeAuthentication
skip_before_action :verify_authenticity_token
load_and_authorize_resource :template
skip_before_action :authenticate_via_token!
before_action :authenticate_from_referer
load_and_authorize_resource :template, id_param: :template_id
def create
if params[:blobs].blank? && params[:files].blank?

6
app/controllers/templates_controller.rb
Unescape View File

@ -2,12 +2,13 @@
class TemplatesController < ApplicationController
include PrefillFieldsHelper
include IframeAuthentication
skip_before_action :maybe_redirect_to_setup
skip_before_action :verify_authenticity_token
skip_before_action :authenticate_via_token!, only: [:update]
before_action :authenticate_from_referer, only: [:update]
load_and_authorize_resource :template
before_action :load_base_template, only: %i[new create]
def show
@ -67,6 +68,7 @@ class TemplatesController < ApplicationController
name: params.dig(:template, :name),
folder_name: params[:folder_name])
else
@template = Template.new(template_params) if @template.nil?
@template.author = current_user
@template.folder = TemplateFolders.find_or_create_by_name(current_user, params[:folder_name])
end

4
app/controllers/templates_dashboard_controller.rb
Unescape View File

@ -1,10 +1,6 @@
# frozen_string_literal: true
class TemplatesDashboardController < ApplicationController
before_action :ensure_demo_user_signed_in
skip_before_action :authenticate_user!
skip_before_action :maybe_redirect_to_setup
load_and_authorize_resource :template_folder, parent: false
load_and_authorize_resource :template, parent: false

27
app/models/account.rb
Unescape View File

@ -4,18 +4,20 @@
#
# Table name: accounts
#
# id :bigint not null, primary key
# archived_at :datetime
# locale :string not null
# name :string not null
# timezone :string not null
# uuid :string not null
# created_at :datetime not null
# updated_at :datetime not null
# id :bigint not null, primary key
# archived_at :datetime
# locale :string not null
# name :string not null
# timezone :string not null
# uuid :string not null
# created_at :datetime not null
# updated_at :datetime not null
# external_account_id :integer
#
# Indexes
#
# index_accounts_on_uuid (uuid) UNIQUE
# index_accounts_on_external_account_id (external_account_id) UNIQUE
# index_accounts_on_uuid (uuid) UNIQUE
#
class Account < ApplicationRecord
attribute :uuid, :string, default: -> { SecureRandom.uuid }
@ -53,8 +55,15 @@ class Account < ApplicationRecord
attribute :timezone, :string, default: 'UTC'
attribute :locale, :string, default: 'en-US'
validates :external_account_id, uniqueness: true, allow_nil: true
scope :active, -> { where(archived_at: nil) }
def self.find_or_create_by_external_id(external_id, attributes = {})
find_by(external_account_id: external_id) ||
create!(attributes.merge(external_account_id: external_id))
end
def testing?
linked_account_account&.testing?
end

13
app/models/user.rb
Unescape View File

@ -29,11 +29,13 @@
# created_at :datetime not null
# updated_at :datetime not null
# account_id :integer not null
# external_user_id :integer
#
# Indexes
#
# index_users_on_account_id (account_id)
# index_users_on_email (email) UNIQUE
# index_users_on_external_user_id (external_user_id) UNIQUE
# index_users_on_reset_password_token (reset_password_token) UNIQUE
# index_users_on_unlock_token (unlock_token) UNIQUE
# index_users_on_uuid (uuid) UNIQUE
@ -74,6 +76,17 @@ class User < ApplicationRecord
scope :admins, -> { where(role: ADMIN_ROLE) }
validates :email, format: { with: /\A[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\z/ }
validates :external_user_id, uniqueness: true, allow_nil: true
def self.find_or_create_by_external_id(account, external_id, attributes = {})
account.users.find_by(external_user_id: external_id) ||
account.users.create!(
attributes.merge(
external_user_id: external_id,
password: SecureRandom.hex(16)
)
)
end
def access_token
super || build_access_token.tap(&:save!)

2
app/views/submissions/show.html.erb
Unescape View File

@ -235,7 +235,7 @@
<%= button_to t('resubmit'), submitters_resubmit_path(submitter), method: :put, class: 'btn btn-sm btn-primary w-full', form: { target: '_blank' }, data: { turbo: false } %>
</div>
<% end %>
<% if signed_in? && submitter && submitter.completed_at? && !submitter.declined_at? && !submitter.changes_requested_at? && current_user == @submission.created_by_user %>
<% if signed_in? && submitter && submitter.completed_at? && !submitter.declined_at? && !submitter.changes_requested_at? && current_user == @submission.template.author %>
<div class="mt-2 mb-1">
<%= link_to 'Request Changes', request_changes_submitter_path(submitter.slug),
class: 'btn btn-sm btn-warning w-full',

271
bin/start_production
Unescape View File

@ -0,0 +1,271 @@
#!/bin/sh -e
echo "=== CP Docuseal Production Startup ==="
# Enable jemalloc for reduced memory usage and latency.
if [ -z "${LD_PRELOAD+x}" ]; then
LD_PRELOAD=$(find /usr/lib -name libjemalloc.so.2 -print -quit)
export LD_PRELOAD
fi
check_aws_setup() {
if [ -z "$AWS_REGION" ]; then
echo "ERROR: AWS_REGION environment variable is not set"
exit 1
fi
if ! command -v aws &> /dev/null; then
echo "ERROR: AWS CLI is not installed. Please install it to proceed."
exit 1
fi
}
# Function to fetch secrets from AWS Secrets Manager
fetch_db_credentials() {
echo "Fetching database credentials from AWS Secrets Manager..."
if [ -z "$DB_SECRETS_NAME" ]; then
echo "ERROR: DB_SECRETS_NAME environment variable is not set"
exit 1
fi
# Fetch the secret
echo "Retrieving secret: $DB_SECRETS_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \
--region "$AWS_REGION" \
--secret-id "$DB_SECRETS_NAME" \
--query SecretString \
--output text)
if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1
fi
# Parse JSON and export environment variables
export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username')
export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password')
# Validate that we got the credentials
if [ "$DB_USERNAME" = "null" ] || [ "$DB_PASSWORD" = "null" ] || [ -z "$DB_USERNAME" ] || [ -z "$DB_PASSWORD" ]; then
echo "ERROR: Failed to parse database credentials from secrets"
echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}"
exit 1
fi
# Write credentials to .env.production file
echo "Writing database credentials to .env.production..."
# Remove existing DB_USERNAME and DB_PASSWORD lines if they exist
if [ -f "./.env.production" ]; then
echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.production"
grep -v "^DB_USERNAME=" ./.env.production > ./.env.production.tmp || true
grep -v "^DB_PASSWORD=" ./.env.production.tmp > ./.env.production || true
rm -f ./.env.production.tmp
fi
# Append the new credentials
echo "DB_USERNAME=$DB_USERNAME" >> ./.env.production
echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.production
echo "✓ Database credentials successfully retrieved and written to .env.production"
}
# Function to fetch encryption key from AWS Secrets Manager and write to config/master.key
fetch_encryption_key() {
echo "Fetching encryption key from AWS Secrets Manager..."
ENCRYPTION_SECRET_NAME="cpdocuseal/encryption_key"
if [ -z "$AWS_REGION" ]; then
echo "ERROR: AWS_REGION environment variable is not set"
exit 1
fi
# Fetch the secret value (assume it's a plain string, not JSON)
ENCRYPTION_KEY=$(aws secretsmanager get-secret-value \
--region "$AWS_REGION" \
--secret-id "$ENCRYPTION_SECRET_NAME" \
--query SecretString \
--output text)
if [ $? -ne 0 ] || [ -z "$ENCRYPTION_KEY" ] || [ "$ENCRYPTION_KEY" = "null" ]; then
echo "ERROR: Failed to retrieve encryption key from AWS Secrets Manager"
exit 1
fi
# Write the key to config/master.key
echo -n "$ENCRYPTION_KEY" > config/master.key
chmod 600 config/master.key
echo "✓ Encryption key written to config/master.key"
}
# Function to fetch allowed hosts values
fetch_allowed_hosts() {
echo "Fetching allowed hosts from AWS Secrets Manager..."
if [ -z "$ALLOWED_HOSTS_NAME" ]; then
echo "ERROR: ALLOWED_HOSTS_NAME environment variable is not set"
exit 1
fi
# Fetch the secret value, assume kept as JSON array
ALLOWED_HOSTS_JSON=$(aws secretsmanager get-secret-value \
--region "$AWS_REGION" \
--secret-id "$ALLOWED_HOSTS_NAME" \
--query SecretString \
--output text)
if [ $? -ne 0 ] || [ -z "$ALLOWED_HOSTS_JSON" ] || [ "$ALLOWED_HOSTS_JSON" = "null" ]; then
echo "ERROR: Failed to retrieve allowed hosts from AWS Secrets Manager"
exit 1
fi
# Extract the array and convert to comma-separated string
ALLOWED_HOSTS=$(echo "$ALLOWED_HOSTS_JSON" | jq -r '.allowed_hosts | join(",")')
if [ -z "$ALLOWED_HOSTS" ] || [ "$ALLOWED_HOSTS" = "null" ]; then
echo "ERROR: Failed to parse allowed hosts from secrets. Check that the secret contains 'allowed_hosts' key."
exit 1
fi
# Write allowed hosts to .env.production file
echo "Writing allowed hosts to .env.production..."
echo "ALLOWED_HOSTS=$ALLOWED_HOSTS" >> ./.env.production
echo "✓ Allowed hosts successfully retrieved and written to .env.production"
}
# Function to fetch various environment variables and write to .env file for use by app
fetch_env_variables() {
echo "Fetching environment variables from AWS Secrets Manager..."
if [ -z "$CP_VARIABLES_NAME" ]; then
echo "ERROR: CP_VARIABLES_NAME environment variable is not set"
exit 1
fi
# Fetch the secret
echo "Retrieving secret: $CP_VARIABLES_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \
--region "$AWS_REGION" \
--secret-id "$CP_VARIABLES_NAME" \
--query SecretString \
--output text)
if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1
fi
export DB_HOST=$(echo "$SECRET_JSON" | jq -r '.host')
export REDIS_URL=$(echo "$SECRET_JSON" | jq -r '.redis_url')
export S3_ATTACHMENTS_BUCKET=$(echo "$SECRET_JSON" | jq -r '.s3_attachments_bucket')
export AIRBRAKE_ID=$(echo "$SECRET_JSON" | jq -r '.airbrake_id')
export AIRBRAKE_KEY=$(echo "$SECRET_JSON" | jq -r '.airbrake_key')
export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key')
export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name')
export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode')
# Validate that we got the values
if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then
echo "ERROR: Failed to parse variables from secrets"
echo "Expected JSON format: {\"key\": \"...\", ...}"
exit 1
fi
# Validate license keys exist for logging
if [ "$AIRBRAKE_ID" = "null" ] || [ "$AIRBRAKE_KEY" = "null" ] || [ "$NEWRELIC_LICENSE_KEY" = "null" ] || [ "$NEWRELIC_APP_NAME" = "null" ]; then
echo "ERROR: One or more monitor/logging license keys are missing"
exit 1
fi
# Write variables to .env.production file
echo "Writing environment variables to .env.production..."
# Remove existing DB_HOST, REDIS_URL, and S3_ATTACHMENTS_BUCKET lines if they exist
if [ -f "./.env.production" ]; then
echo "Removing existing variables from .env.production"
grep -v "^DB_HOST=" ./.env.production > ./.env.production.tmp || true
grep -v "^REDIS_URL=" ./.env.production.tmp > ./.env.production || true
grep -v "^S3_ATTACHMENTS_BUCKET=" ./.env.production.tmp > ./.env.production || true
grep -v "^AIRBRAKE_ID=" ./.env.production.tmp > ./.env.production || true
grep -v "^AIRBRAKE_KEY=" ./.env.production.tmp > ./.env.production || true
grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.production.tmp > ./.env.production || true
grep -v "^NEWRELIC_APP_NAME=" ./.env.production.tmp > ./.env.production || true
grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.production.tmp > ./.env.production || true
rm -f ./.env.production.tmp
fi
# Append the new credentials
echo "DB_HOST=$DB_HOST" >> ./.env.production
echo "REDIS_URL=$REDIS_URL" >> ./.env.production
echo "S3_ATTACHMENTS_BUCKET=$S3_ATTACHMENTS_BUCKET" >> ./.env.production
echo "AIRBRAKE_ID=$AIRBRAKE_ID" >> ./.env.production
echo "AIRBRAKE_KEY=$AIRBRAKE_KEY" >> ./.env.production
echo "NEWRELIC_LICENSE_KEY=$NEWRELIC_LICENSE_KEY" >> ./.env.production
echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.production
echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.production
echo "✓ Environment variables successfully retrieved and written to .env.production"
}
# Function to setup database
setup_database() {
echo "Running database migrations..."
./bin/rails db:migrate
if [ $? -eq 0 ]; then
echo "✓ Database migrations completed successfully"
else
echo "ERROR: Database migrations failed"
exit 1
fi
}
set_environment() {
if [ -f "./.env.production" ]; then
echo "Setting environment variables from .env.production"
set -a
. ./.env.production
set +a
fi
}
# Main execution
main() {
cd ../../app/
set_environment
check_aws_setup
echo "Starting CP Docuseal in production mode..."
echo "Rails Environment: ${RAILS_ENV:-production}"
# Fetch database credentials from Secrets Manager
fetch_db_credentials
# Fetch encryption key and write to config/master.key
fetch_encryption_key
# Fetch allowed hosts from Secrets Manager
fetch_allowed_hosts
# Fetch other environment variables from Secrets Manager
fetch_env_variables
# Load updated environment variables
set_environment
# Setup and migrate database
setup_database
echo "=== Startup Complete - Starting Rails Server ==="
echo "Database Host: ${DB_HOST:-not set}"
echo "Database Port: ${DB_PORT:-not set}"
# Start the Rails server
exec ./bin/rails server -b 0.0.0.0 -p "${PORT:-3000}"
}
# Execute main function
main "$@"

65
bin/start_staging
Unescape View File

@ -71,6 +71,46 @@ fetch_db_credentials() {
echo "✓ Database credentials successfully retrieved and written to .env.staging"
}
# Function to fetch allowed hosts from AWS Secrets Manager and write to .env.staging
fetch_allowed_hosts() {
echo "Fetching allowed hosts from AWS Secrets Manager..."
if [ -z "$ALLOWED_HOSTS_NAME" ]; then
echo "ERROR: ALLOWED_HOSTS_NAME environment variable is not set"
exit 1
fi
# Fetch the secret value, assume kept as JSON array
ALLOWED_HOSTS_JSON=$(aws secretsmanager get-secret-value \
--region "$AWS_REGION" \
--secret-id "$ALLOWED_HOSTS_NAME" \
--query SecretString \
--output text)
if [ $? -ne 0 ] || [ -z "$ALLOWED_HOSTS_JSON" ] || [ "$ALLOWED_HOSTS_JSON" = "null" ]; then
echo "ERROR: Failed to retrieve allowed hosts from AWS Secrets Manager"
exit 1
fi
# Extract the array and convert to comma-separated string
ALLOWED_HOSTS=$(echo "$ALLOWED_HOSTS_JSON" | jq -r '.allowed_hosts | join(",")')
if [ -z "$ALLOWED_HOSTS" ] || [ "$ALLOWED_HOSTS" = "null" ]; then
echo "ERROR: Failed to parse allowed hosts from secrets. Check that the secret contains 'allowed_hosts' key."
exit 1
fi
# Remove existing ALLOWED_HOSTS line if it exists
if [ -f "./.env.staging" ]; then
grep -v "^ALLOWED_HOSTS=" ./.env.staging > ./.env.staging.tmp || true
mv ./.env.staging.tmp ./.env.staging
fi
# Append the new allowed hosts
echo "ALLOWED_HOSTS=$ALLOWED_HOSTS" >> ./.env.staging
echo "✓ Allowed hosts successfully retrieved and written to .env.staging"
}
# Function to fetch encryption key from AWS Secrets Manager and write to config/master.key
fetch_encryption_key() {
echo "Fetching encryption key from AWS Secrets Manager..."
@ -123,6 +163,12 @@ fetch_env_variables() {
export DB_HOST=$(echo "$SECRET_JSON" | jq -r '.host')
export REDIS_URL=$(echo "$SECRET_JSON" | jq -r '.redis_url')
export S3_ATTACHMENTS_BUCKET=$(echo "$SECRET_JSON" | jq -r '.s3_attachments_bucket')
export AIRBRAKE_ID=$(echo "$SECRET_JSON" | jq -r '.airbrake_id')
export AIRBRAKE_KEY=$(echo "$SECRET_JSON" | jq -r '.airbrake_key')
export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key')
export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name')
export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode')
# Validate that we got the values
if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then
@ -131,6 +177,12 @@ fetch_env_variables() {
exit 1
fi
# Validate license keys exist for logging
if [ "$AIRBRAKE_ID" = "null" ] || [ "$AIRBRAKE_KEY" = "null" ] || [ "$NEWRELIC_LICENSE_KEY" = "null" ] || [ "$NEWRELIC_APP_NAME" = "null" ]; then
echo "ERROR: One or more monitor/logging license keys are missing"
exit 1
fi
# Write variables to .env.staging file
echo "Writing environment variables to .env.staging..."
@ -140,6 +192,11 @@ fetch_env_variables() {
grep -v "^DB_HOST=" ./.env.staging > ./.env.staging.tmp || true
grep -v "^REDIS_URL=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^S3_ATTACHMENTS_BUCKET=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^AIRBRAKE_ID=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^AIRBRAKE_KEY=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^NEWRELIC_APP_NAME=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.staging.tmp > ./.env.staging || true
rm -f ./.env.staging.tmp
fi
@ -147,6 +204,11 @@ fetch_env_variables() {
echo "DB_HOST=$DB_HOST" >> ./.env.staging
echo "REDIS_URL=$REDIS_URL" >> ./.env.staging
echo "S3_ATTACHMENTS_BUCKET=$S3_ATTACHMENTS_BUCKET" >> ./.env.staging
echo "AIRBRAKE_ID=$AIRBRAKE_ID" >> ./.env.staging
echo "AIRBRAKE_KEY=$AIRBRAKE_KEY" >> ./.env.staging
echo "NEWRELIC_LICENSE_KEY=$NEWRELIC_LICENSE_KEY" >> ./.env.staging
echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.staging
echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.staging
echo "✓ Environment variables successfully retrieved and written to .env.staging"
}
@ -190,6 +252,9 @@ main() {
# Fetch encryption key and write to config/master.key
fetch_encryption_key
# Fetch allowed hosts from Secrets Manager
fetch_allowed_hosts
# Fetch other environment variables from Secrets Manager
fetch_env_variables

16
config/environments/production.rb
Unescape View File

@ -40,10 +40,6 @@ Rails.application.configure do
config.active_storage.service =
if ENV['S3_ATTACHMENTS_BUCKET'].present?
:aws_s3
elsif ENV['GCS_BUCKET'].present?
:google
elsif ENV['AZURE_CONTAINER'].present?
:azure
else
:disk
end
@ -57,10 +53,10 @@ Rails.application.configure do
# config.action_cable.allowed_request_origins = [ "http://example.com", /http:\/\/example.*/ ]
# Assume all access to the app is happening through a SSL-terminating reverse proxy.
config.assume_ssl = ENV['FORCE_SSL'].present? && ENV['FORCE_SSL'] != 'false'
config.assume_ssl = true
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = ENV['FORCE_SSL'].present? && ENV['FORCE_SSL'] != 'false'
config.force_ssl = true
# Include generic and useful information about system operation, but avoid logging too much
# information to avoid inadvertent exposure of personally identifiable information (PII).
@ -162,4 +158,12 @@ Rails.application.configure do
raid: resource.try(:account_id)
}
end
config.host_authorization = { exclude: ->(request) { request.path == '/up' } }
# Load allowed hosts from environment variable
allowed_hosts = ENV['ALLOWED_HOSTS']&.split(',')&.map(&:strip) || ['.*\\.careerplug\\.com\\Z']
config.host_authorization = { exclude: ->(request) { request.path == '/up' } }
allowed_hosts.each { |host_pattern| config.hosts << Regexp.new(host_pattern) }
end

35
config/environments/staging.rb
Unescape View File

@ -95,9 +95,28 @@ Rails.application.configure do
# require "syslog/logger"
# config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new "app-name")
logger = ActiveSupport::Logger.new($stdout)
logger.formatter = config.log_formatter
config.logger = ActiveSupport::TaggedLogging.new(logger)
# logger = ActiveSupport::Logger.new($stdout)
# logger.formatter = config.log_formatter
# config.logger = ActiveSupport::TaggedLogging.new(logger)
# NEWRELIC_MONITOR_MODE enables stdout logger sync for worker/web via NR APM
if ENV['NEWRELIC_MONITOR_MODE'].presence
config.logger = ActiveSupport::TaggedLogging.new(
Logger.new($stdout)
)
config.active_job.logger = ActiveSupport::TaggedLogging.new(
Logger.new($stdout)
)
else
config.logger = ActiveSupport::TaggedLogging.new(
Syslog::Logger.new('rails-main')
)
config.active_job.logger = ActiveSupport::TaggedLogging.new(
Syslog::Logger.new('rails-sidekiq')
)
end
encryption_secret = ENV['ENCRYPTION_SECRET'].presence || Digest::SHA256.hexdigest(ENV['SECRET_KEY_BASE'].to_s)
@ -154,11 +173,9 @@ Rails.application.configure do
}
end
# Load allowed hosts from environment variable
allowed_hosts = ENV['ALLOWED_HOSTS']&.split(',')&.map(&:strip) || ['.*\\.careerplug\\.com\\Z']
config.host_authorization = { exclude: ->(request) { request.path == '/up' } }
[
/.*\.careerplug\.org\Z/,
/.*\.careerplug\.com\Z/,
/.*\.cpstaging\d\.click\Z/,
/.*\.cpstaging\d+\.name\Z/
].each { |hrexp| config.hosts << hrexp }
allowed_hosts.each { |host_pattern| config.hosts << Regexp.new(host_pattern) }
end

11
config/initializers/airbrake.rb
Unescape View File

@ -0,0 +1,11 @@
# frozen_string_literal: true
unless ENV['DOCKER_BUILD'] || ENV['CI_BUILD']
Airbrake.configure do |config|
config.project_key = ENV['AIRBRAKE_KEY'] # rubocop:disable Style/FetchEnvVar
config.project_id = ENV['AIRBRAKE_ID'] # rubocop:disable Style/FetchEnvVar
config.environment = Rails.env
config.ignore_environments = %w[development test]
config.root_directory = '/var/cpd/app'
end
end

1117
config/newrelic.yml
View File

File diff suppressed because it is too large Load Diff

4
config/puma.rb
Unescape View File

@ -8,7 +8,7 @@
require_relative 'dotenv'
max_threads_count = ENV.fetch('RAILS_MAX_THREADS', 15)
max_threads_count = ENV.fetch('RAILS_MAX_THREADS', 5)
min_threads_count = ENV.fetch('RAILS_MIN_THREADS') { max_threads_count }
threads min_threads_count, max_threads_count
@ -39,7 +39,7 @@ if ENV['WEB_CONCURRENCY_AUTO'] == 'true'
workers Etc.nprocessors
else
workers ENV.fetch('WEB_CONCURRENCY', 0)
workers ENV.fetch('WEB_CONCURRENCY', 1)
end
# Use the `preload_app!` method when specifying a `workers` number.

5
config/routes.rb
Unescape View File

@ -56,6 +56,11 @@ Rails.application.routes.draw do
resources :form_events, only: %i[index], path: 'form/:type'
resources :submission_events, only: %i[index], path: 'submission/:type'
end
resources :external_auth, only: [] do
collection do
post :user_token
end
end
end
resources :export, controller: 'export' do

9
db/migrate/20250814214357_add_external_ids_to_accounts_and_users.rb
Unescape View File

@ -0,0 +1,9 @@
class AddExternalIdsToAccountsAndUsers < ActiveRecord::Migration[8.0]
def change
add_column :accounts, :external_account_id, :integer
add_column :users, :external_user_id, :integer
add_index :accounts, :external_account_id, unique: true
add_index :users, :external_user_id, unique: true
end
end

6
db/schema.rb
Unescape View File

@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema[8.0].define(version: 2025_08_11_211829) do
ActiveRecord::Schema[8.0].define(version: 2025_08_14_214357) do
# These are extensions that must be enabled in order to support this database
enable_extension "btree_gin"
enable_extension "pg_catalog.plpgsql"
@ -62,6 +62,8 @@ ActiveRecord::Schema[8.0].define(version: 2025_08_11_211829) do
t.datetime "updated_at", null: false
t.string "uuid", null: false
t.datetime "archived_at"
t.integer "external_account_id"
t.index ["external_account_id"], name: "index_accounts_on_external_account_id", unique: true
t.index ["uuid"], name: "index_accounts_on_uuid", unique: true
end
@ -440,8 +442,10 @@ ActiveRecord::Schema[8.0].define(version: 2025_08_11_211829) do
t.string "otp_secret"
t.integer "consumed_timestep"
t.boolean "otp_required_for_login", default: false, null: false
t.integer "external_user_id"
t.index ["account_id"], name: "index_users_on_account_id"
t.index ["email"], name: "index_users_on_email", unique: true
t.index ["external_user_id"], name: "index_users_on_external_user_id", unique: true
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
t.index ["unlock_token"], name: "index_users_on_unlock_token", unique: true
t.index ["uuid"], name: "index_users_on_uuid", unique: true

75
spec/controllers/concerns/iframe_authentication_spec.rb
Unescape View File

@ -0,0 +1,75 @@
# frozen_string_literal: true
describe IframeAuthentication do
let(:account) { create(:account) }
let(:user) { create(:user, account: account) }
let(:token) { user.access_token.token }
let(:controller_class) do
Class.new(ApplicationController) do
include IframeAuthentication
end
end
let(:controller) { controller_class.new }
let(:request_double) { instance_double(ActionDispatch::Request, headers: {}, referer: nil) }
before do
allow(controller).to receive_messages(
request: request_double,
params: {},
session: {},
signed_in?: false,
sign_in: nil,
render: nil
)
allow(Rails.logger).to receive(:error)
end
describe '#authenticate_from_referer' do
it 'does nothing when already signed in' do
allow(controller).to receive(:signed_in?).and_return(true)
controller.send(:authenticate_from_referer)
expect(controller).not_to have_received(:sign_in)
end
it 'authenticates with valid params token' do
allow(controller).to receive(:params).and_return({ auth_token: token })
controller.send(:authenticate_from_referer)
expect(controller).to have_received(:sign_in).with(user)
end
it 'authenticates with valid session token' do
allow(controller).to receive(:session).and_return({ auth_token: token })
controller.send(:authenticate_from_referer)
expect(controller).to have_received(:sign_in).with(user)
end
it 'authenticates with valid header token' do
allow(request_double).to receive(:headers).and_return({ 'X-Auth-Token' => token })
controller.send(:authenticate_from_referer)
expect(controller).to have_received(:sign_in).with(user)
end
it 'authenticates with token from referer URL' do
allow(request_double).to receive(:referer).and_return("https://example.com?auth_token=#{token}")
controller.send(:authenticate_from_referer)
expect(controller).to have_received(:sign_in).with(user)
end
it 'does nothing with invalid token' do
allow(controller).to receive(:params).and_return({ auth_token: 'invalid' })
controller.send(:authenticate_from_referer)
expect(controller).not_to have_received(:sign_in)
expect(controller).not_to have_received(:render)
end
it 'renders error with no token' do
controller.send(:authenticate_from_referer)
expect(controller).to have_received(:render).with(
json: { error: 'Authentication required' },
status: :unauthorized
)
end
end
end

59
spec/models/account_spec.rb
Unescape View File

@ -0,0 +1,59 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe Account do
describe 'validations' do
it 'is valid with valid attributes' do
account = build(:account)
expect(account).to be_valid
end
it 'validates uniqueness of external_account_id when present' do
create(:account, external_account_id: 123)
duplicate = build(:account, external_account_id: 123)
expect(duplicate).not_to be_valid
end
end
describe '.find_or_create_by_external_id' do
let(:external_id) { 123 }
let(:attributes) { { name: 'Test Account' } }
it 'finds existing account by external_account_id' do
existing_account = create(:account, external_account_id: external_id)
result = described_class.find_or_create_by_external_id(external_id, attributes)
expect(result).to eq(existing_account)
end
it 'creates new account when none exists' do
result = described_class.find_or_create_by_external_id(external_id, attributes)
expect(result.external_account_id).to eq(external_id)
expect(result.name).to eq('Test Account')
end
end
describe '#testing?' do
let(:account) { create(:account) }
it 'delegates to linked_account_account' do
linked_account_account = instance_double(AccountLinkedAccount, testing?: true)
allow(account).to receive(:linked_account_account).and_return(linked_account_account)
expect(account.testing?).to be true
end
end
describe '#default_template_folder' do
it 'creates default folder when none exists' do
account = create(:account)
create(:user, account: account)
expect do
folder = account.default_template_folder
expect(folder.name).to eq(TemplateFolder::DEFAULT_NAME)
expect(folder).to be_persisted
end.to change(account.template_folders, :count).by(1)
end
end
end

40
spec/models/submitter_spec.rb
Unescape View File

@ -1,5 +1,45 @@
# frozen_string_literal: true
# == Schema Information
#
# Table name: submitters
#
# id :bigint not null, primary key
# changes_requested_at :datetime
# completed_at :datetime
# declined_at :datetime
# email :string
# ip :string
# metadata :text not null
# name :string
# opened_at :datetime
# phone :string
# preferences :text not null
# sent_at :datetime
# slug :string not null
# timezone :string
# ua :string
# uuid :string not null
# values :text not null
# created_at :datetime not null
# updated_at :datetime not null
# account_id :integer not null
# external_id :string
# submission_id :integer not null
#
# Indexes
#
# index_submitters_on_account_id_and_id (account_id,id)
# index_submitters_on_completed_at_and_account_id (completed_at,account_id)
# index_submitters_on_email (email)
# index_submitters_on_external_id (external_id)
# index_submitters_on_slug (slug) UNIQUE
# index_submitters_on_submission_id (submission_id)
#
# Foreign Keys
#
# fk_rails_... (submission_id => submissions.id)
#
require 'rails_helper'
RSpec.describe Submitter do

99
spec/models/user_spec.rb
Unescape View File

@ -0,0 +1,99 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe User do
describe 'validations' do
it 'is valid with valid attributes' do
user = build(:user)
expect(user).to be_valid
end
it 'validates email format' do
user = build(:user, email: 'invalid-email')
expect(user).not_to be_valid
end
it 'validates uniqueness of external_user_id when present' do
account = create(:account)
create(:user, account: account, external_user_id: 123)
duplicate = build(:user, account: account, external_user_id: 123)
expect(duplicate).not_to be_valid
end
end
describe '.find_or_create_by_external_id' do
let(:account) { create(:account) }
let(:external_id) { 123 }
let(:attributes) { { first_name: 'Test', last_name: 'User', email: 'test@example.com' } }
it 'finds existing user by external_user_id' do
existing_user = create(:user, account: account, external_user_id: external_id)
result = described_class.find_or_create_by_external_id(account, external_id, attributes)
expect(result).to eq(existing_user)
end
it 'creates new user when none exists' do
result = described_class.find_or_create_by_external_id(account, external_id, attributes)
expect(result.external_user_id).to eq(external_id)
expect(result.first_name).to eq('Test')
expect(result.email).to eq('test@example.com')
expect(result.password).to be_present
end
end
describe '#active_for_authentication?' do
let(:account) { create(:account) }
let(:user) { create(:user, account: account) }
it 'returns true when user and account are active' do
expect(user.active_for_authentication?).to be true
end
it 'returns false when user is archived' do
user.update!(archived_at: 1.day.ago)
expect(user.active_for_authentication?).to be false
end
it 'returns false when account is archived' do
account.update!(archived_at: 1.day.ago)
expect(user.active_for_authentication?).to be false
end
end
describe '#initials' do
it 'returns initials from first and last name' do
user = build(:user, first_name: 'John', last_name: 'Doe')
expect(user.initials).to eq('JD')
end
it 'handles missing names' do
user = build(:user, first_name: 'John', last_name: nil)
expect(user.initials).to eq('J')
end
end
describe '#full_name' do
it 'combines first and last name' do
user = build(:user, first_name: 'John', last_name: 'Doe')
expect(user.full_name).to eq('John Doe')
end
it 'handles missing names' do
user = build(:user, first_name: 'John', last_name: nil)
expect(user.full_name).to eq('John')
end
end
describe '#friendly_name' do
it 'returns formatted name with email when full name present' do
user = build(:user, first_name: 'John', last_name: 'Doe', email: 'john@example.com')
expect(user.friendly_name).to eq('"John Doe" <john@example.com>')
end
it 'returns just email when no full name' do
user = build(:user, first_name: nil, last_name: nil, email: 'john@example.com')
expect(user.friendly_name).to eq('john@example.com')
end
end
end

98
spec/requests/application_controller_spec.rb
Unescape View File

@ -0,0 +1,98 @@
# frozen_string_literal: true
describe 'ApplicationController' do
let(:account) { create(:account) }
let(:user) { create(:user, account: account) }
let(:token) { user.access_token.token }
describe 'token authentication methods' do
let(:controller) { ApplicationController.new }
let(:request_double) { instance_double(ActionDispatch::Request, headers: {}) }
before do
allow(controller).to receive_messages(
request: request_double,
params: {},
session: {},
signed_in?: false
)
end
describe '#maybe_authenticate_via_token' do
it 'signs in user with valid token in header' do
request_double_with_token = instance_double(ActionDispatch::Request, headers: { 'X-Auth-Token' => token })
allow(controller).to receive(:request).and_return(request_double_with_token)
allow(controller).to receive(:sign_in)
controller.send(:maybe_authenticate_via_token)
expect(controller).to have_received(:sign_in).with(user)
end
it 'does nothing with invalid token' do
request_double_with_invalid = instance_double(ActionDispatch::Request, headers: { 'X-Auth-Token' => 'invalid' })
allow(controller).to receive(:request).and_return(request_double_with_invalid)
allow(controller).to receive(:sign_in)
controller.send(:maybe_authenticate_via_token)
expect(controller).not_to have_received(:sign_in)
end
end
describe '#authenticate_via_token!' do
it 'renders error with no token' do
allow(controller).to receive(:render)
controller.send(:authenticate_via_token!)
expect(controller).to have_received(:render).with(
json: { error: 'Authentication required. Please provide a valid auth_token.' },
status: :unauthorized
)
end
it 'renders error with invalid token' do
request_double_with_invalid = instance_double(ActionDispatch::Request, headers: { 'X-Auth-Token' => 'invalid' })
allow(controller).to receive(:request).and_return(request_double_with_invalid)
allow(controller).to receive(:render)
controller.send(:authenticate_via_token!)
expect(controller).to have_received(:render).with(
json: { error: 'Authentication required. Please provide a valid auth_token.' },
status: :unauthorized
)
end
it 'does not render error with valid token' do
request_double_with_token = instance_double(ActionDispatch::Request, headers: { 'X-Auth-Token' => token })
allow(controller).to receive(:request).and_return(request_double_with_token)
allow(controller).to receive_messages(sign_in: nil, render: nil)
controller.send(:authenticate_via_token!)
expect(controller).not_to have_received(:render)
expect(controller).to have_received(:sign_in).with(user)
end
end
end
describe 'API authentication' do
context 'with valid token' do
it 'authenticates user' do
get '/api/submissions', headers: { 'X-Auth-Token': token }
expect(response).to have_http_status(:ok)
end
end
context 'with invalid token' do
it 'returns API-specific error message' do
get '/api/submissions', headers: { 'X-Auth-Token': 'invalid_token' }
expect(response).to have_http_status(:unauthorized)
expect(response.parsed_body).to eq({ 'error' => 'Not authenticated' })
end
end
end
end

36
spec/requests/external_auth_spec.rb
Unescape View File

@ -0,0 +1,36 @@
# frozen_string_literal: true
describe 'External Auth API' do
describe 'POST /api/external_auth/user_token' do
let(:valid_params) do
{
account: {
external_id: '123',
name: 'Test Company'
},
user: {
external_id: '456',
email: 'test@example.com',
first_name: 'John',
last_name: 'Doe'
}
}
end
it 'returns success with access token' do
post '/api/external_auth/user_token', params: valid_params, as: :json
expect(response).to have_http_status(:ok)
expect(response.parsed_body).to have_key('access_token')
end
it 'returns error when params cause exception' do
allow(Account).to receive(:find_or_create_by_external_id).and_raise(StandardError.new('Test error'))
post '/api/external_auth/user_token', params: valid_params, as: :json
expect(response).to have_http_status(:internal_server_error)
expect(response.parsed_body).to eq({ 'error' => 'Internal server error' })
end
end
end

14
spec/signing_form_helper.rb
Unescape View File

@ -59,4 +59,18 @@ module SigningFormHelper
def template_field(template, field_name)
template.fields.find { |f| f['name'] == field_name || f['title'] == field_name } || {}
end
# Waits for a job to be queued in Sidekiq for the specified job class.
def wait_for_job_to_queue(job_class, timeout: 5)
initial_count = job_class.jobs.size
Timeout.timeout(timeout) do
loop do
break if job_class.jobs.size > initial_count
sleep 0.1
end
end
rescue Timeout::Error
# If timeout occurs, just continue - the test will fail with a more descriptive message
end
end

1
spec/system/signing_form_spec.rb
Unescape View File

@ -654,6 +654,7 @@ RSpec.describe 'Signing Form' do
expect do
click_on 'Sign and Complete'
wait_for_job_to_queue(ProcessSubmitterCompletionJob)
end.to change(ProcessSubmitterCompletionJob.jobs, :size).by(1)
end
end

Write Preview
Loading…
Cancel
Save