mirror of
https://github.com/we-promise/sure.git
synced 2026-06-04 10:19:03 +00:00
8251b7e4d6
* feat(ai): add Anthropic provider with chat parity (1/5)
Introduces Provider::Anthropic alongside Provider::Openai, implementing
the LlmConcept chat_response contract over the official anthropic Ruby
SDK. Batch ops, PDF, and RAG land in follow-up PRs.
- Provider::Anthropic uses Messages API for sync and streaming responses
- ChatConfig builds requests with ephemeral prompt-cache markers on the
system prompt and the last tool definition
- MessageFormatter reconstructs multi-turn history (text + tool_use +
tool_result blocks) from raw Message records, including the paired
user-role tool_result turn Anthropic requires after every tool_use
- ChatParser maps Anthropic Message into the shared ChatResponse Data
- Registry, Setting, User, Chat default model wired for ANTHROPIC_*
envs and Setting.anthropic_*; LLM_PROVIDER selects between providers
- Responder forwards raw conversation_history (Array<Message>) so
providers without hosted conversation state can rebuild context
- OpenAI provider accepts and ignores the new kwarg (no behavior change)
Tests cover provider init, model gating, MessageFormatter for all turn
shapes, ChatConfig request building (max_tokens, system cache, tool
conversion), ChatParser for text / tool_use / mixed blocks, Registry
discovery, and mocked chat_response success / error / function_request
paths. Live VCR cassettes recorded in a follow-up with a real key.
Stacked PRs: 2/5 batch ops + cost ledger, 3/5 PDF, 4/5 pgvector RAG,
5/5 settings UI + disclosure.
* fix(ai): address PR review on Anthropic provider foundation
Surface fixes raised by Codex + CodeRabbit on PR 1/5:
- Provider::Anthropic#chat_response now accepts (and ignores) a
`messages:` kwarg. Assistant::Responder passes both `messages:`
(OpenAI-shape) and `conversation_history:` (raw Message records) for
cross-provider parity, so the previous signature raised
ArgumentError on the first chat turn through the Anthropic provider.
- Provider::Anthropic#supports_model? bypasses the `claude` prefix
gate when a custom base_url is configured, mirroring the OpenAI
provider. Bedrock-shaped IDs like
`anthropic.claude-sonnet-4-5-20250929-v1:0` and
`claude-opus-4@20250514` are otherwise rejected by
Assistant::Provided#get_model_provider and the chat dies.
- Setting.anthropic_access_token is now in
EncryptedSettingFields::ENCRYPTED_FIELDS so the Anthropic API key
is encrypted at rest like every other provider secret. Previously
plaintext while siblings (openai_access_token, twelve_data_api_key,
external_assistant_token) were ciphertext.
- Chat.default_model falls back to whichever provider is actually
configured. Previously, with LLM_PROVIDER=anthropic but no
Anthropic credentials, the default model resolved to a Claude ID
that no registered provider supported, so chats failed even when
OpenAI was fully configured. Adds Provider::{Anthropic,Openai}#configured?
class methods for the readable callsite.
- Provider::Anthropic.effective_model uses
`ENV["ANTHROPIC_MODEL"].presence || Setting.anthropic_model` so the
Setting lookup is only performed when the env var is absent — the
previous `ENV.fetch(KEY, default)` evaluated the default arg
eagerly on every call.
- Provider::Anthropic::ChatConfig#anthropic_input_schema strips both
`:strict` and `"strict"` keys so JSON-decoded schemas with string
keys cannot leak the OpenAI-only flag through to Anthropic.
Test coverage added: supports_model? bypass on custom endpoints,
chat_response messages: kwarg compatibility, default_model fallback
in the three credential combinations, configured? against ENV +
Setting, strict-flag stripping for both key types, and a
`Setting.expects(:anthropic_model).never` assertion proving the
ENV-precedence test now exercises the lazy path.
All 4365 tests pass (1 pre-existing libvips env error unrelated).
* test(chat): make default_model tests resilient to ENV model overrides
CodeRabbit flagged on PR review: the new default_model tests asserted
against Provider::*::DEFAULT_MODEL, but Chat.default_model actually
returns Provider::*.effective_model.presence (which reads
OPENAI_MODEL / ANTHROPIC_MODEL from the environment). With either env
var set, the tests would fail intermittently even though routing was
correct.
- New default_model tests now assert against the provider's
effective_model directly, so they verify the routing decision
(which provider's value wins) without coupling to the constant.
- Pre-existing "creates with default model" assertions had the same
brittleness; switch them to compare against Chat.default_model so
the chosen model is whatever the env / Setting cascade resolves to.
Verified by running `ANTHROPIC_MODEL=claude-haiku-4-5 OPENAI_MODEL=gpt-4o
bin/rails test test/models/chat_test.rb` — 16 runs, 0 failures
(previously 2 pre-existing failures + 0 from the new tests).
* fix(ai): address local review on Anthropic foundation
- Provider::Anthropic#supports_pdf_processing? bypasses prefix gate for
custom endpoints, mirroring supports_model?
- Provider::Anthropic#initialize raises Error when custom_endpoint? AND
model.blank?, parity with Provider::Openai
- stream_chat_response captures partial usage on mid-stream errors and
records it via the new on_partial callback so chat_response can skip
the duplicate error row in the outer rescue
- safe_accumulated_message swallows the secondary failure when the SDK
cannot reconstruct a snapshot
- langfuse_client memoizes properly (||= instead of =) so repeated calls
don't churn Langfuse instances
- MessageFormatter sorts tool_calls by created_at then id so the
message array is deterministic across replays; skips tool_calls
missing both provider_call_id and provider_id rather than sending
`id: nil` and getting rejected by Anthropic
- Setting.anthropic_access_token default falls back through
ENV["ANTHROPIC_API_KEY"].presence (was missing .presence, so an
empty-string env value bled through)
- User#openai_configured? / #anthropic_configured? delegate to the
Provider::* class methods — single source of truth
- Assistant::Responder renames the OpenAI-shape history builder
conversation_history → openai_messages_payload so the kwarg name
matches the local method name (messages: openai_messages_payload,
conversation_history: chat_message_records)
- Assistant::Builtin stale-history comment updated to reference both
builders
Adds a streaming chat_response test using ad-hoc subclasses of the
SDK event types so the case/when dispatch matches via is_a? without
stubbing class-level === behavior.
* test(ai): add Anthropic tool_use round-trip + multi-tool turn coverage
Addresses @jjmata's "worth confirming" note on PR #1983: tool-use turns
from prior assistant messages must round-trip correctly when retrieved
from the database.
- New `ChatParser → ToolCall::Function → MessageFormatter` test walks
the full path: Anthropic response with a tool_use block →
ChatFunctionRequest → ToolCall::Function.from_function_request →
persisted on the AssistantMessage → MessageFormatter rebuild on the
next turn. Asserts the original `tool_use.id` is preserved end-to-end
as both `tool_use.id` and the paired `tool_result.tool_use_id`, and
that the original `input` hash and serialized result content survive.
- New multi-tool assistant turn test confirms two tool_use blocks on a
single assistant message render as two tool_use blocks followed by
two paired tool_result blocks in a single user-role follow-up,
matching Anthropic's required alternation.
Both tests exercise the existing PR1 code without behavior changes.
* test(ai): require "ostruct" explicitly in Anthropic provider tests
OpenStruct is moving out of Ruby's default load path (warning in 3.4+,
removed in 3.5+). Tests work today because ActiveSupport transitively
loads it, but that's incidental. Match the existing convention in
test/controllers/settings/hostings_controller_test.rb which explicitly
requires ostruct for the same reason.
* fix(ai): sanitize Langfuse warn logs, normalize tool_use.input, dedup history fetch
Addresses three open CodeRabbit findings on PR #1983.
- Provider::Anthropic Langfuse rescue branches no longer include
`e.full_message` in `Rails.logger.warn`. `full_message` bundles the
backtrace + cause chain and on some SDK error types includes the
serialized request/response payload (prompt, model output). Logs
now report `#{e.class}: #{e.message}` only. Three sites:
create_langfuse_trace, log_langfuse_generation, upsert_langfuse_trace.
Note: Provider::Openai has the same pattern (copy-pasted source) —
harmonization deferred to a follow-up cleanup PR; this commit fixes
only the Anthropic provider to keep PR scope tight.
- MessageFormatter#parse_arguments now coerces any non-Hash parsed
result to `{}`. Anthropic's Messages API requires `tool_use.input`
to be a JSON object (map); a stored ToolCall::Function record whose
arguments parse to a scalar, bool, or array (corrupt row, legacy
data, cross-provider bleed) would otherwise produce a payload the
API rejects. Normal flow stores Hash arguments end-to-end so the
fix is defensive — adds 2 tests covering scalar/array JSON strings
and non-String non-Hash inputs.
- Assistant::Responder dedups the chat-history fetch. The previous
layout fired two near-identical `chat.messages.where(...).includes(
:tool_calls).ordered` queries per LLM turn (one for the OpenAI-shape
payload, one for the raw-records kwarg). A new memoized
`complete_chat_messages` fetches once; `chat_message_records` filters
out the current message via `Array#reject`, `openai_messages_payload`
iterates the cached array unchanged. One SQL query per turn instead
of two. Memoization scope = single Responder instance (per LLM call),
so cache invalidation is not a concern.
All 4370 tests pass (1 pre-existing libvips env error unrelated).
Rubocop + brakeman clean.
* fix(ci): replace sk-ant- prefixed test placeholders
Pipelock secret scanner pattern-matches `sk-ant-*` as a real Anthropic
API key and fails the PR security-scan check. Test stubs and
ClimateControl env values used `sk-ant-test`, `sk-ant-from-setting`,
`sk-ant-x`, `sk-ant-y` as obvious placeholders, but the scanner does
not care about value entropy.
Switched to `fake-anthropic-key-*` / `fake-token-*` strings so the
scanner stops flagging them. No production code touched, no behavior
change — Provider::Anthropic still accepts any non-blank token.
560 lines
16 KiB
Ruby
560 lines
16 KiB
Ruby
class User < ApplicationRecord
|
|
include Encryptable
|
|
|
|
# Allow nil password for SSO-only users (JIT provisioning).
|
|
# Custom validation ensures password is present for non-SSO registration.
|
|
has_secure_password validations: false
|
|
|
|
# Encrypt sensitive fields if ActiveRecord encryption is configured
|
|
if encryption_ready?
|
|
# MFA secrets
|
|
encrypts :otp_secret, deterministic: true
|
|
|
|
# PII - emails (deterministic for lookups, downcase for case-insensitive)
|
|
encrypts :email, deterministic: true, downcase: true
|
|
encrypts :unconfirmed_email, deterministic: true, downcase: true
|
|
|
|
# PII - names (non-deterministic for maximum security)
|
|
encrypts :first_name
|
|
encrypts :last_name
|
|
end
|
|
|
|
belongs_to :family
|
|
belongs_to :last_viewed_chat, class_name: "Chat", optional: true
|
|
belongs_to :default_account, class_name: "Account", optional: true
|
|
has_many :sessions, dependent: :destroy
|
|
has_many :chats, dependent: :destroy
|
|
has_many :api_keys, dependent: :destroy
|
|
has_many :webauthn_credentials, dependent: :destroy
|
|
has_many :mobile_devices, dependent: :destroy
|
|
has_many :invitations, foreign_key: :inviter_id, dependent: :destroy
|
|
has_many :impersonator_support_sessions, class_name: "ImpersonationSession", foreign_key: :impersonator_id, dependent: :destroy
|
|
has_many :impersonated_support_sessions, class_name: "ImpersonationSession", foreign_key: :impersonated_id, dependent: :destroy
|
|
has_many :oidc_identities, dependent: :destroy
|
|
has_many :sso_audit_logs, dependent: :nullify
|
|
has_many :owned_accounts, class_name: "Account", foreign_key: :owner_id
|
|
has_many :account_shares, dependent: :destroy
|
|
has_many :shared_accounts, through: :account_shares, source: :account
|
|
accepts_nested_attributes_for :family, update_only: true
|
|
|
|
MFA_BACKUP_CODE_COUNT = 8
|
|
|
|
validates :email, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
|
|
validate :ensure_valid_profile_image
|
|
validates :default_period, inclusion: { in: Period::PERIODS.keys }
|
|
validates :default_account_order, inclusion: { in: AccountOrder::ORDERS.keys }
|
|
validates :locale, inclusion: { in: I18n.available_locales.map(&:to_s) }, allow_nil: true
|
|
|
|
# Password is required on create unless the user is being created via SSO JIT.
|
|
# SSO JIT users have password_digest = nil and authenticate via OIDC only.
|
|
validates :password, presence: true, on: :create, unless: :skip_password_validation?
|
|
validates :password, length: { minimum: 8 }, allow_nil: true
|
|
normalizes :email, with: ->(email) { email.strip.downcase }
|
|
normalizes :unconfirmed_email, with: ->(email) { email&.strip&.downcase }
|
|
normalizes :locale, with: ->(locale) { locale.presence }
|
|
|
|
normalizes :first_name, :last_name, with: ->(value) { value.strip.presence }
|
|
|
|
enum :role, { guest: "guest", member: "member", admin: "admin", super_admin: "super_admin" }, validate: true
|
|
enum :ui_layout, { dashboard: "dashboard", intro: "intro" }, validate: true, prefix: true
|
|
|
|
before_validation :apply_ui_layout_defaults
|
|
before_validation :apply_role_based_ui_defaults
|
|
|
|
# Returns the appropriate role for a new user creating a family.
|
|
# The very first user of an instance becomes super_admin; subsequent users
|
|
# get the specified fallback role (typically :admin for family creators).
|
|
def self.role_for_new_family_creator(fallback_role: :admin)
|
|
User.exists? ? fallback_role : :super_admin
|
|
end
|
|
|
|
has_one_attached :profile_image, dependent: :purge_later do |attachable|
|
|
attachable.variant :thumbnail, resize_to_fill: [ 300, 300 ], convert: :webp, saver: { quality: 80 }
|
|
attachable.variant :small, resize_to_fill: [ 72, 72 ], convert: :webp, saver: { quality: 80 }, preprocessed: true
|
|
end
|
|
|
|
validate :profile_image_size
|
|
|
|
generates_token_for :password_reset, expires_in: 15.minutes do
|
|
password_salt&.last(10)
|
|
end
|
|
|
|
generates_token_for :email_confirmation, expires_in: 1.day do
|
|
unconfirmed_email
|
|
end
|
|
|
|
def pending_email_change?
|
|
unconfirmed_email.present?
|
|
end
|
|
|
|
def initiate_email_change(new_email)
|
|
return false if new_email == email
|
|
|
|
if Rails.application.config.app_mode.self_hosted? && !Setting.require_email_confirmation
|
|
update(email: new_email)
|
|
else
|
|
if update(unconfirmed_email: new_email)
|
|
EmailConfirmationMailer.with(user: self).confirmation_email.deliver_later
|
|
true
|
|
else
|
|
false
|
|
end
|
|
end
|
|
end
|
|
|
|
def resend_confirmation_email
|
|
if pending_email_change?
|
|
EmailConfirmationMailer.with(user: self).confirmation_email.deliver_later
|
|
true
|
|
else
|
|
false
|
|
end
|
|
end
|
|
|
|
def request_impersonation_for(user_id)
|
|
impersonated = User.find(user_id)
|
|
impersonator_support_sessions.create!(impersonated: impersonated)
|
|
end
|
|
|
|
def admin?
|
|
super_admin? || role == "admin"
|
|
end
|
|
|
|
def accessible_accounts
|
|
family.accounts.accessible_by(self)
|
|
end
|
|
|
|
def finance_accounts
|
|
family.accounts.included_in_finances_for(self)
|
|
end
|
|
|
|
def display_name
|
|
[ first_name, last_name ].compact.join(" ").presence || email
|
|
end
|
|
|
|
def initial
|
|
(display_name&.first || email.first).upcase
|
|
end
|
|
|
|
def initials
|
|
if first_name.present? && last_name.present?
|
|
"#{first_name.first}#{last_name.first}".upcase
|
|
else
|
|
initial
|
|
end
|
|
end
|
|
|
|
def show_ai_sidebar?
|
|
show_ai_sidebar
|
|
end
|
|
|
|
def ai_available?
|
|
return true unless Rails.application.config.app_mode.self_hosted?
|
|
|
|
effective_type = ENV["ASSISTANT_TYPE"].presence || family&.assistant_type.presence || "builtin"
|
|
|
|
case effective_type
|
|
when "external"
|
|
Assistant::External.available_for?(self)
|
|
else
|
|
openai_configured? || anthropic_configured?
|
|
end
|
|
end
|
|
|
|
def openai_configured?
|
|
Provider::Openai.configured?
|
|
end
|
|
|
|
def anthropic_configured?
|
|
Provider::Anthropic.configured?
|
|
end
|
|
|
|
def ai_enabled?
|
|
ai_enabled && ai_available?
|
|
end
|
|
|
|
def self.default_ui_layout
|
|
layout = Rails.application.config.x.ui&.default_layout || "dashboard"
|
|
layout.in?(%w[intro dashboard]) ? layout : "dashboard"
|
|
end
|
|
|
|
# SSO-only users have OIDC identities but no local password.
|
|
# They cannot use password reset or local login.
|
|
def sso_only?
|
|
password_digest.nil? && oidc_identities.exists?
|
|
end
|
|
|
|
# Check if user has a local password set (can authenticate locally)
|
|
def has_local_password?
|
|
password_digest.present?
|
|
end
|
|
|
|
# Attribute to skip password validation during SSO JIT provisioning
|
|
attr_accessor :skip_password_validation
|
|
|
|
# Deactivation
|
|
validate :can_deactivate, if: -> { active_changed? && !active }
|
|
after_update_commit :purge_later, if: -> { saved_change_to_active?(from: true, to: false) }
|
|
|
|
def deactivate
|
|
update active: false, email: deactivated_email
|
|
end
|
|
|
|
def can_deactivate
|
|
if admin? && family.users.count > 1
|
|
errors.add(:base, :cannot_deactivate_admin_with_other_users)
|
|
end
|
|
end
|
|
|
|
def purge_later
|
|
UserPurgeJob.perform_later(self)
|
|
end
|
|
|
|
def purge
|
|
if last_user_in_family?
|
|
family.destroy
|
|
else
|
|
reassign_owned_accounts!
|
|
destroy
|
|
end
|
|
end
|
|
|
|
# MFA
|
|
def setup_mfa!
|
|
update!(
|
|
otp_secret: ROTP::Base32.random(32),
|
|
otp_required: false,
|
|
otp_backup_codes: []
|
|
)
|
|
end
|
|
|
|
def enable_mfa!
|
|
raise ArgumentError, "OTP secret must be set before enabling MFA" if otp_secret.blank?
|
|
|
|
backup_codes = generate_backup_codes
|
|
|
|
# Store bcrypt digests only; this Postgres array cannot use AR encryption.
|
|
update!(
|
|
otp_required: true,
|
|
otp_backup_codes: backup_codes.map { |code| digest_backup_code(code) }
|
|
)
|
|
|
|
backup_codes
|
|
end
|
|
|
|
def disable_mfa!
|
|
transaction do
|
|
update!(
|
|
otp_secret: nil,
|
|
otp_required: false,
|
|
otp_backup_codes: []
|
|
)
|
|
webauthn_credentials.destroy_all
|
|
end
|
|
end
|
|
|
|
def verify_otp?(code)
|
|
return false if otp_secret.blank?
|
|
|
|
normalized_code = normalize_mfa_code(code)
|
|
return false if normalized_code.blank?
|
|
return true if totp.verify(normalized_code, drift_behind: 15)
|
|
return false unless backup_code_input?(normalized_code)
|
|
|
|
consume_backup_code!(normalized_code)
|
|
end
|
|
|
|
def provisioning_uri
|
|
return nil unless otp_secret.present?
|
|
totp.provisioning_uri(email)
|
|
end
|
|
|
|
def ensure_webauthn_id!
|
|
return webauthn_id if webauthn_id.present?
|
|
|
|
with_lock do
|
|
update!(webauthn_id: WebAuthn.generate_user_id) unless webauthn_id.present?
|
|
end
|
|
|
|
webauthn_id
|
|
end
|
|
|
|
def webauthn_enabled?
|
|
otp_required? && webauthn_credentials.exists?
|
|
end
|
|
|
|
def onboarded?
|
|
onboarded_at.present?
|
|
end
|
|
|
|
def needs_onboarding?
|
|
!onboarded?
|
|
end
|
|
|
|
def account_order
|
|
AccountOrder.find(default_account_order) || AccountOrder.default
|
|
end
|
|
|
|
def default_account_for_transactions
|
|
return nil unless default_account_id.present?
|
|
|
|
account = default_account
|
|
return nil unless account&.eligible_for_transaction_default? && account.family_id == family_id
|
|
|
|
account
|
|
end
|
|
|
|
# Dashboard preferences management
|
|
def dashboard_section_collapsed?(section_key)
|
|
preferences&.dig("collapsed_sections", section_key) == true
|
|
end
|
|
|
|
def dashboard_section_order
|
|
preferences&.[]("section_order") || default_dashboard_section_order
|
|
end
|
|
|
|
def update_dashboard_preferences(prefs)
|
|
# Use pessimistic locking to ensure atomic read-modify-write
|
|
# This prevents race conditions when multiple sections are collapsed quickly
|
|
transaction do
|
|
lock! # Acquire row-level lock (SELECT FOR UPDATE)
|
|
|
|
updated_prefs = (preferences || {}).deep_dup
|
|
prefs.each do |key, value|
|
|
if value.is_a?(Hash)
|
|
updated_prefs[key] ||= {}
|
|
updated_prefs[key] = updated_prefs[key].merge(value)
|
|
else
|
|
updated_prefs[key] = value
|
|
end
|
|
end
|
|
|
|
update!(preferences: updated_prefs)
|
|
end
|
|
end
|
|
|
|
# Reports preferences management
|
|
def reports_section_collapsed?(section_key)
|
|
preferences&.dig("reports_collapsed_sections", section_key) == true
|
|
end
|
|
|
|
def reports_section_order
|
|
preferences&.[]("reports_section_order") || default_reports_section_order
|
|
end
|
|
|
|
def update_reports_preferences(prefs)
|
|
# Use pessimistic locking to ensure atomic read-modify-write
|
|
transaction do
|
|
lock!
|
|
|
|
updated_prefs = (preferences || {}).deep_dup
|
|
prefs.each do |key, value|
|
|
if value.is_a?(Hash)
|
|
updated_prefs[key] ||= {}
|
|
updated_prefs[key] = updated_prefs[key].merge(value)
|
|
else
|
|
updated_prefs[key] = value
|
|
end
|
|
end
|
|
|
|
update!(preferences: updated_prefs)
|
|
end
|
|
end
|
|
|
|
# Transactions preferences management
|
|
def transactions_section_collapsed?(section_key)
|
|
preferences&.dig("transactions_collapsed_sections", section_key) == true
|
|
end
|
|
|
|
def show_split_grouped?
|
|
preferences&.dig("show_split_grouped") != false
|
|
end
|
|
|
|
def dashboard_two_column?
|
|
preferences&.dig("dashboard_two_column") == true
|
|
end
|
|
|
|
def preview_features_enabled?
|
|
preferences&.dig("preview_features_enabled") == true
|
|
end
|
|
|
|
def update_transactions_preferences(prefs)
|
|
transaction do
|
|
lock!
|
|
|
|
updated_prefs = (preferences || {}).deep_dup
|
|
prefs.each do |key, value|
|
|
if value.is_a?(Hash)
|
|
updated_prefs["transactions_#{key}"] ||= {}
|
|
updated_prefs["transactions_#{key}"] = updated_prefs["transactions_#{key}"].merge(value)
|
|
else
|
|
updated_prefs["transactions_#{key}"] = value
|
|
end
|
|
end
|
|
|
|
update!(preferences: updated_prefs)
|
|
end
|
|
end
|
|
|
|
private
|
|
def apply_ui_layout_defaults
|
|
self.ui_layout = (ui_layout.presence || self.class.default_ui_layout)
|
|
end
|
|
|
|
def apply_role_based_ui_defaults
|
|
if ui_layout_intro?
|
|
if guest?
|
|
self.show_sidebar = false
|
|
self.show_ai_sidebar = false
|
|
self.ai_enabled = true
|
|
else
|
|
self.ui_layout = "dashboard"
|
|
end
|
|
elsif guest?
|
|
self.ui_layout = "intro"
|
|
self.show_sidebar = false
|
|
self.show_ai_sidebar = false
|
|
self.ai_enabled = true
|
|
end
|
|
|
|
if leaving_guest_role?
|
|
self.show_sidebar = true unless show_sidebar
|
|
self.show_ai_sidebar = true unless show_ai_sidebar
|
|
end
|
|
|
|
if new_record? && member? && !ai_available?
|
|
self.show_ai_sidebar = false
|
|
end
|
|
end
|
|
|
|
def leaving_guest_role?
|
|
return false unless will_save_change_to_role?
|
|
|
|
previous_role, new_role = role_change_to_be_saved
|
|
previous_role == "guest" && new_role != "guest"
|
|
end
|
|
|
|
def skip_password_validation?
|
|
skip_password_validation == true
|
|
end
|
|
|
|
def default_dashboard_section_order
|
|
%w[cashflow_sankey outflows_donut net_worth_chart balance_sheet]
|
|
end
|
|
|
|
def default_reports_section_order
|
|
%w[trends_insights transactions_breakdown]
|
|
end
|
|
def ensure_valid_profile_image
|
|
return unless profile_image.attached?
|
|
|
|
unless profile_image.content_type.in?(%w[image/jpeg image/png])
|
|
errors.add(:profile_image, "must be a JPEG or PNG")
|
|
profile_image.purge
|
|
end
|
|
end
|
|
|
|
def last_user_in_family?
|
|
family.users.count == 1
|
|
end
|
|
|
|
def reassign_owned_accounts!
|
|
account_ids = owned_accounts.pluck(:id)
|
|
return if account_ids.empty?
|
|
|
|
new_owner = family.users.where.not(id: id)
|
|
.find_by(role: %w[admin super_admin]) ||
|
|
family.users.where.not(id: id)
|
|
.order(:created_at).first
|
|
|
|
return unless new_owner
|
|
|
|
Account.where(id: account_ids).update_all(owner_id: new_owner.id)
|
|
# Remove shares the new owner had for these accounts (they now own them)
|
|
AccountShare.where(account_id: account_ids, user_id: new_owner.id).delete_all
|
|
end
|
|
|
|
def deactivated_email
|
|
email.gsub(/@/, "-deactivated-#{SecureRandom.uuid}@")
|
|
end
|
|
|
|
def profile_image_size
|
|
if profile_image.attached? && profile_image.byte_size > 10.megabytes
|
|
errors.add(:profile_image, :invalid_file_size, max_megabytes: 10)
|
|
end
|
|
end
|
|
|
|
def totp
|
|
ROTP::TOTP.new(otp_secret, issuer: "Sure Finances")
|
|
end
|
|
|
|
def consume_backup_code!(normalized_code)
|
|
consumed = false
|
|
|
|
transaction do
|
|
lock!
|
|
|
|
if otp_backup_codes.present?
|
|
matching_index = otp_backup_codes.index do |stored_code|
|
|
backup_code_matches?(stored_code, normalized_code)
|
|
end
|
|
|
|
if matching_index
|
|
remaining_codes = otp_backup_codes.dup
|
|
remaining_codes.delete_at(matching_index)
|
|
update!(otp_backup_codes: remaining_codes)
|
|
consumed = true
|
|
end
|
|
end
|
|
end
|
|
|
|
consumed
|
|
end
|
|
|
|
def generate_backup_codes
|
|
MFA_BACKUP_CODE_COUNT.times.map { SecureRandom.hex(8) }
|
|
end
|
|
|
|
def digest_backup_code(code)
|
|
BCrypt::Password.create(normalize_mfa_code(code), cost: backup_code_digest_cost).to_s
|
|
end
|
|
|
|
def backup_code_matches?(stored_code, normalized_code)
|
|
if backup_code_digest?(stored_code)
|
|
return false unless backup_code_input?(normalized_code)
|
|
|
|
BCrypt::Password.new(stored_code).is_password?(normalized_code)
|
|
else
|
|
# Legacy plaintext codes are accepted once so existing MFA users are
|
|
# not locked out after backup-code hashing ships.
|
|
ActiveSupport::SecurityUtils.secure_compare(stored_code.to_s, normalized_code)
|
|
end
|
|
rescue BCrypt::Errors::InvalidHash
|
|
false
|
|
end
|
|
|
|
def backup_code_digest?(stored_code)
|
|
stored_code.to_s.start_with?("$2a$", "$2b$", "$2y$")
|
|
end
|
|
|
|
def normalize_mfa_code(code)
|
|
code.to_s.strip.downcase
|
|
end
|
|
|
|
def backup_code_input?(code)
|
|
backup_code_candidate?(code) || legacy_plaintext_backup_code_candidate?(code)
|
|
end
|
|
|
|
def backup_code_candidate?(code)
|
|
code.to_s.match?(/\A[0-9a-f]{16}\z/)
|
|
end
|
|
|
|
def legacy_plaintext_backup_code_candidate?(code)
|
|
code.to_s.match?(/\A[0-9a-f]{8}\z/)
|
|
end
|
|
|
|
def backup_code_digest_cost
|
|
ActiveModel::SecurePassword.min_cost ? BCrypt::Engine::MIN_COST : BCrypt::Engine.cost
|
|
end
|
|
end
|