QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-06-08 12:19:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a0f5e56668ed0bf944bfbb5b119953f9edb2e666
sure/app/models/enable_banking_item.rb
Tobias Rahloff fe47c918bb feat(enable_banking): support MFA/decoupled banks and harden session handling (#2174) 
Decoupled/MFA banks (e.g. VR Bank in Holstein) were hard-blocked because the
authorize flow aborted whenever auth_methods[0] was DECOUPLED. Enable Banking's
hosted /auth page actually coordinates decoupled SCA and redirects back with a
code, so route these banks through it instead:

- Provider#start_authorization accepts and forwards an auth_method param
- EnableBankingItem#select_auth_method picks the best method
  (REDIRECT > DECOUPLED > EMBEDDED), filtering by psu_type and skipping hidden
  methods
- Shared begin_authorization! re-fetches ASPSP metadata on each authorize and
  reauthorize, so the method is always re-derived (no persistence required)
- Remove the DECOUPLED block in the controller

Also stop the integration from constantly reporting "session expired":

- Only a session-level GET /sessions 401/404 flips the connection to
  requires_update; per-account 401/404 are retried and no longer kill the
  whole connection
- Reconcile session_expires_at from the API's access.valid_until on every sync
- Treat an expired session as a graceful requires_update state instead of
  raising a bare error

No schema changes. Adds covering tests.
2026-06-04 19:53:52 +02:00

416 lines
15 KiB
Ruby
Raw Blame History

class EnableBankingItem < ApplicationRecord
include Syncable, Provided, Unlinking, Encryptable
enum :status, { good: "good", requires_update: "requires_update" }, default: :good
# Encrypt sensitive credentials and raw payloads if ActiveRecord encryption is configured
if encryption_ready?
encrypts :client_certificate, deterministic: true
encrypts :session_id, deterministic: true
encrypts :raw_payload
encrypts :raw_institution_payload
end
validates :name, presence: true
validates :country_code, presence: true
validates :application_id, presence: true
validates :client_certificate, presence: true, on: :create
belongs_to :family
has_one_attached :logo, dependent: :purge_later
has_many :enable_banking_accounts, dependent: :destroy
has_many :accounts, through: :enable_banking_accounts
scope :active, -> { where(scheduled_for_deletion: false) }
scope :syncable, -> { active }
scope :ordered, -> { order(created_at: :desc) }
scope :needs_update, -> { where(status: :requires_update) }
def destroy_later
update!(scheduled_for_deletion: true)
DestroyJob.perform_later(self)
end
def credentials_configured?
application_id.present? && client_certificate.present? && country_code.present?
end
def session_valid?
session_id.present? && (session_expires_at.nil? || session_expires_at > Time.current)
end
def session_expired?
session_id.present? && session_expires_at.present? && session_expires_at <= Time.current
end
def needs_authorization?
!session_valid?
end
# TODO: implement data retention policy for last_psu_ip (GDPR/CCPA — nullify after session expiry or 90 days)
validate :psu_type_in_aspsp_types
def psu_type_in_aspsp_types
return if psu_type.blank? || aspsp_psu_types.blank?
unless aspsp_psu_types.include?(psu_type)
errors.add(:psu_type, "must be one of the ASPSP supported types")
end
end
# Start the OAuth authorization flow
# @param aspsp_name [String] Name of the selected ASPSP
# @param redirect_url [String] Callback URL
# @param state [String, nil] State parameter (passed through to callback)
# @param psu_type [String] "personal" or "business"
# @param aspsp_data [Hash, nil] Full ASPSP object from GET /aspsps (used to store metadata)
# @param language [String, nil] Two-letter language code
# @return [String] Redirect URL for the user
def start_authorization(aspsp_name:, redirect_url:, state: nil, psu_type: "personal",
aspsp_data: nil, language: nil)
provider = enable_banking_provider
raise StandardError.new("Enable Banking provider is not configured") unless provider
validated_psu_type = psu_type
selected_method = nil
# Store ASPSP metadata before calling provider so it's available even if auth fails
if aspsp_data.present?
aspsp_data = aspsp_data.with_indifferent_access
aspsp_types = Array(aspsp_data[:psu_types]).map(&:to_s)
# If the requested PSU type isn't supported by this ASPSP, fall back to the
# first type it advertises rather than failing outright.
validated_psu_type = if psu_type.present? && aspsp_types.include?(psu_type)
psu_type
elsif aspsp_types.any?
aspsp_types.first
else
psu_type
end
selected_method = select_auth_method(aspsp_data, validated_psu_type)
update!(
aspsp_required_psu_headers: aspsp_data[:required_psu_headers] || [],
aspsp_maximum_consent_validity: aspsp_data[:maximum_consent_validity],
aspsp_auth_approach: selected_method&.dig(:approach),
aspsp_psu_types: aspsp_types
)
end
result = provider.start_authorization(
aspsp_name: aspsp_name,
aspsp_country: country_code,
redirect_url: redirect_url,
state: state,
psu_type: validated_psu_type,
maximum_consent_validity: aspsp_maximum_consent_validity,
language: language,
auth_method: selected_method&.dig(:name)
)
attributes = {
authorization_id: result[:authorization_id],
aspsp_name: aspsp_name
}
attributes[:psu_type] = validated_psu_type if validated_psu_type.present?
update!(attributes)
result[:url]
end
# Shared entry point for both initial authorization and reauthorization.
# Re-fetches ASPSP metadata (so the auth method / PSU type selection and the
# stored approach stay accurate) and starts the provider authorization. The
# re-fetch — rather than caching the full ASPSP object in the session — keeps
# us under the 4KB session cookie limit.
# @return [String] Redirect URL for the user
def begin_authorization!(redirect_url:, state:, language: nil, psu_type: nil, aspsp_name: nil)
name = aspsp_name.presence || self.aspsp_name
raise StandardError.new("No bank selected for this connection") if name.blank?
start_authorization(
aspsp_name: name,
redirect_url: redirect_url,
state: state,
psu_type: psu_type.presence || self.psu_type || "personal",
aspsp_data: fetch_aspsp_data(name),
language: language
)
end
# Complete the authorization flow with the code from callback
def complete_authorization(code:)
provider = enable_banking_provider
raise StandardError.new("Enable Banking provider is not configured") unless provider
result = provider.create_session(code: code)
# Store session information
update!(
session_id: result[:session_id],
session_expires_at: parse_session_expiry(result),
authorization_id: nil, # Clear the authorization ID
status: :good
)
# Import the accounts from the session
import_accounts_from_session(result[:accounts] || [])
result
end
# Reconcile the locally-stored session expiry with what the API reports.
# The session info returned by GET /sessions carries the authoritative
# access.valid_until; persisting it on every sync keeps session_valid? accurate
# and avoids both premature "expired" states and stale "still valid" states.
def reconcile_session_expiry!(session_data)
return unless session_data.is_a?(Hash)
valid_until = session_data.dig(:access, :valid_until) || session_data.dig("access", "valid_until")
return if valid_until.blank?
parsed = Time.zone.parse(valid_until.to_s)
return if parsed.nil? || parsed == session_expires_at
update!(session_expires_at: parsed)
rescue ArgumentError, TypeError, ActiveRecord::ActiveRecordError => e
# Best-effort reconciliation: swallow bad timestamps (ArgumentError/TypeError)
# as well as validation/locking failures from update! (RecordInvalid,
# StaleObjectError) so a sync is never derailed by expiry bookkeeping.
Rails.logger.warn "EnableBankingItem #{id} - Failed to reconcile session expiry: #{e.message}"
end
def import_latest_enable_banking_data
provider = enable_banking_provider
unless provider
Rails.logger.error "EnableBankingItem #{id} - Cannot import: Enable Banking provider is not configured"
raise StandardError.new("Enable Banking provider is not configured")
end
unless session_valid?
Rails.logger.error "EnableBankingItem #{id} - Cannot import: Session is not valid"
update!(status: :requires_update)
raise StandardError.new("Enable Banking session is not valid or has expired")
end
EnableBankingItem::Importer.new(self, enable_banking_provider: provider).import
rescue => e
Rails.logger.error "EnableBankingItem #{id} - Failed to import data: #{e.message}"
raise
end
def process_accounts
return [] if enable_banking_accounts.empty?
results = []
enable_banking_accounts.joins(:account).merge(Account.visible).each do |enable_banking_account|
begin
result = EnableBankingAccount::Processor.new(enable_banking_account).process
results << { enable_banking_account_id: enable_banking_account.id, success: true, result: result }
rescue => e
Rails.logger.error "EnableBankingItem #{id} - Failed to process account #{enable_banking_account.id}: #{e.message}"
results << { enable_banking_account_id: enable_banking_account.id, success: false, error: e.message }
end
end
results
end
def schedule_account_syncs(parent_sync: nil, window_start_date: nil, window_end_date: nil)
return [] if accounts.empty?
results = []
accounts.visible.each do |account|
begin
account.sync_later(
parent_sync: parent_sync,
window_start_date: window_start_date,
window_end_date: window_end_date
)
results << { account_id: account.id, success: true }
rescue => e
Rails.logger.error "EnableBankingItem #{id} - Failed to schedule sync for account #{account.id}: #{e.message}"
results << { account_id: account.id, success: false, error: e.message }
end
end
results
end
def upsert_enable_banking_snapshot!(accounts_snapshot)
assign_attributes(
raw_payload: accounts_snapshot
)
save!
end
def has_completed_initial_setup?
accounts.any?
end
def linked_accounts_count
enable_banking_accounts.joins(:account_provider).count
end
def unlinked_accounts_count
enable_banking_accounts.left_joins(:account_provider).where(account_providers: { id: nil }).count
end
def total_accounts_count
enable_banking_accounts.count
end
def sync_status_summary
latest = latest_sync
return nil unless latest
if latest.sync_stats.present?
stats = latest.sync_stats
total = stats["total_accounts"] || 0
linked = stats["linked_accounts"] || 0
unlinked = stats["unlinked_accounts"] || 0
if total == 0
"No accounts found"
elsif unlinked == 0
"#{linked} #{'account'.pluralize(linked)} synced"
else
"#{linked} synced, #{unlinked} need setup"
end
else
total_accounts = enable_banking_accounts.count
linked_count = accounts.count
unlinked_count = total_accounts - linked_count
if total_accounts == 0
"No accounts found"
elsif unlinked_count == 0
"#{linked_count} #{'account'.pluralize(linked_count)} synced"
else
"#{linked_count} synced, #{unlinked_count} need setup"
end
end
end
def institution_display_name
aspsp_name.presence || institution_name.presence || institution_domain.presence || name
end
def connected_institutions
enable_banking_accounts.includes(:account)
.where.not(institution_metadata: nil)
.map { |acc| acc.institution_metadata }
.uniq { |inst| inst["name"] || inst["institution_name"] }
end
def institution_summary
institutions = connected_institutions
case institutions.count
when 0
aspsp_name.presence || "No institutions connected"
when 1
institutions.first["name"] || institutions.first["institution_name"] || "1 institution"
else
"#{institutions.count} institutions"
end
end
# Revoke the session with Enable Banking
def revoke_session
return unless session_id.present?
provider = enable_banking_provider
return unless provider
begin
provider.delete_session(session_id: session_id)
rescue Provider::EnableBanking::EnableBankingError => e
Rails.logger.warn "EnableBankingItem #{id} - Failed to revoke session: #{e.message}"
ensure
update!(
session_id: nil,
session_expires_at: nil,
authorization_id: nil
)
end
end
private
# Authentication approach preference, lowest number wins.
# REDIRECT is the smoothest (PSU authenticates entirely on the ASPSP page).
# DECOUPLED works through Enable Banking's hosted page (push-to-app / photoTAN
# / chipTAN). EMBEDDED is last resort (handled by the hosted page too).
AUTH_APPROACH_PRIORITY = { "REDIRECT" => 0, "DECOUPLED" => 1, "EMBEDDED" => 2 }.freeze
# Choose the best authentication method for the given PSU type.
# Returns a hash with :name and :approach, or nil when the ASPSP exposes no
# API-selectable methods (Enable Banking then falls back to its default).
def select_auth_method(aspsp_data, psu_type)
methods = Array(aspsp_data[:auth_methods]).map(&:with_indifferent_access)
return nil if methods.empty?
# Hidden methods aren't surfaced on Enable Banking's hosted page, so we don't
# auto-select one (the PSU couldn't complete it). If every method is hidden,
# return nil and let /auth fall back to the ASPSP's default rather than
# forcing a non-selectable method.
methods = methods.reject { |m| ActiveModel::Type::Boolean.new.cast(m[:hidden_method]) }
return nil if methods.empty?
# Prefer methods that match the chosen PSU type; if none declare a psu_type
# (or none match), consider all of them.
matching = methods.select { |m| m[:psu_type].blank? || m[:psu_type].to_s == psu_type.to_s }
candidates = matching.presence || methods
best = candidates.min_by { |m| AUTH_APPROACH_PRIORITY.fetch(m[:approach].to_s, 99) }
return nil unless best
{ name: best[:name], approach: best[:approach] }
end
# Fetch the ASPSP object for a given name from the provider's /aspsps list.
# Returns a HashWithIndifferentAccess, or nil if unavailable.
def fetch_aspsp_data(aspsp_name)
provider = enable_banking_provider
return nil unless provider
response = provider.get_aspsps(country: country_code)
raw_aspsps = response[:aspsps] || response["aspsps"] || []
raw_aspsps.find { |a| (a[:name] || a["name"]) == aspsp_name }&.with_indifferent_access
rescue Provider::EnableBanking::EnableBankingError => e
Rails.logger.warn "EnableBankingItem #{id} - could not fetch ASPSP metadata for #{aspsp_name}: #{e.message}"
nil
end
def parse_session_expiry(session_result)
if session_result[:access].present? && session_result[:access][:valid_until].present?
parsed = Time.zone.parse(session_result[:access][:valid_until])
parsed || 90.days.from_now
else
90.days.from_now
end
rescue ArgumentError, TypeError => e
Rails.logger.warn "EnableBankingItem #{id} - Failed to parse session expiry: #{e.message}"
90.days.from_now
end
def import_accounts_from_session(accounts_data)
return if accounts_data.blank?
accounts_data.each do |account_data|
# Use identification_hash as the stable identifier across sessions
uid = account_data[:identification_hash] || account_data[:uid]
next unless uid.present?
enable_banking_account = enable_banking_accounts.find_or_initialize_by(uid: uid)
enable_banking_account.upsert_enable_banking_snapshot!(account_data)
enable_banking_account.save!
end
end
end
Reference in New Issue View Git Blame Copy Permalink