sure/app/controllers/sessions_controller.rb

class SessionsController < ApplicationController
  before_action :set_session, only: :destroy
  skip_authentication only: %i[index new create openid_connect failure post_logout mobile_sso_start]

  layout "auth"

  # Handle GET /sessions (usually from browser back button)
  def index
    redirect_to new_session_path
  end

  def new
    # Clear any stale mobile SSO session flag from an abandoned mobile flow
    session.delete(:mobile_sso)

    begin
      demo = Rails.application.config_for(:demo)
      @prefill_demo_credentials = demo_host_match?(demo)
      if @prefill_demo_credentials
        @email = params[:email].presence || demo["email"]
        @password = params[:password].presence || demo["password"]
      else
        @email = params[:email]
        @password = params[:password]
      end
    rescue RuntimeError, Errno::ENOENT, Psych::SyntaxError
      # Demo config file missing or malformed - disable demo credential prefilling
      @prefill_demo_credentials = false
      @email = params[:email]
      @password = params[:password]
    end
  end

  def create
    # Clear any stale mobile SSO session flag from an abandoned mobile flow
    session.delete(:mobile_sso)

    user = nil

    if AuthConfig.local_login_enabled?
      user = User.authenticate_by(email: params[:email], password: params[:password])
    else
      # Local login is disabled. Only allow attempts when an emergency super-admin
      # override is enabled and the email belongs to a super-admin.
      if AuthConfig.local_admin_override_enabled?
        candidate = User.find_by(email: params[:email])
        unless candidate&.super_admin?
          redirect_to new_session_path, alert: t("sessions.create.local_login_disabled")
          return
        end

        user = User.authenticate_by(email: params[:email], password: params[:password])
      else
        redirect_to new_session_path, alert: t("sessions.create.local_login_disabled")
        return
      end
    end

    if user
      if user.otp_required?
        log_super_admin_override_login(user)
        session[:mfa_user_id] = user.id
        redirect_to verify_mfa_path
      else
        log_super_admin_override_login(user)
        @session = create_session_for(user)
        redirect_to root_path
      end
    else
      flash.now[:alert] = t(".invalid_credentials")
      render :new, status: :unprocessable_entity
    end
  end

  def destroy
    user = Current.user
    id_token = session[:id_token_hint]
    login_provider = session[:sso_login_provider]

    # Find the identity for the provider used during login, with fallback to first if session data lost
    oidc_identity = if login_provider.present?
      user.oidc_identities.find_by(provider: login_provider)
    else
      user.oidc_identities.first
    end

    # Destroy local session
    @session.destroy
    session.delete(:id_token_hint)
    session.delete(:sso_login_provider)

    # Check if we should redirect to IdP for federated logout
    if oidc_identity && id_token.present?
      idp_logout_url = build_idp_logout_url(oidc_identity, id_token)

      if idp_logout_url
        SsoAuditLog.log_logout_idp!(user: user, provider: oidc_identity.provider, request: request)
        redirect_to idp_logout_url, allow_other_host: true
        return
      end
    end

    # Standard local logout
    SsoAuditLog.log_logout!(user: user, request: request)
    redirect_to new_session_path, notice: t(".logout_successful")
  end

  # Handle redirect back from IdP after federated logout
  def post_logout
    redirect_to new_session_path, notice: t(".logout_successful")
  end

  def mobile_sso_start
    provider = params[:provider].to_s
    configured_providers = Rails.configuration.x.auth.sso_providers.map { |p| p[:name].to_s }

    unless configured_providers.include?(provider)
      mobile_sso_redirect(error: "invalid_provider", message: "SSO provider not configured")
      return
    end

    device_params = params.permit(:device_id, :device_name, :device_type, :os_version, :app_version)
    unless device_params[:device_id].present? && device_params[:device_name].present? && device_params[:device_type].present?
      mobile_sso_redirect(error: "missing_device_info", message: "Device information is required")
      return
    end

    session[:mobile_sso] = {
      device_id: device_params[:device_id],
      device_name: device_params[:device_name],
      device_type: device_params[:device_type],
      os_version: device_params[:os_version],
      app_version: device_params[:app_version]
    }

    # Render auto-submitting form to POST to OmniAuth (required by omniauth-rails_csrf_protection)
    @provider = provider
    render layout: false
  end

  def openid_connect
    auth = request.env["omniauth.auth"]

    # Nil safety: ensure auth and required fields are present
    unless auth&.provider && auth&.uid
      redirect_to new_session_path, alert: t("sessions.openid_connect.failed")
      return
    end

    # Security fix: Look up by provider + uid, not just email
    oidc_identity = OidcIdentity.find_by(provider: auth.provider, uid: auth.uid)

    if oidc_identity
      # Existing OIDC identity found - authenticate the user
      user = oidc_identity.user
      oidc_identity.record_authentication!
      oidc_identity.sync_user_attributes!(auth)

      # Log successful SSO login
      SsoAuditLog.log_login!(user: user, provider: auth.provider, request: request)

      # Mobile SSO: issue Doorkeeper tokens and redirect to app
      if session[:mobile_sso].present?
        if user.otp_required?
          session.delete(:mobile_sso)
          mobile_sso_redirect(error: "mfa_not_supported", message: "MFA users should sign in with email and password")
        else
          handle_mobile_sso_callback(user)
        end
        return
      end

      # Store id_token and provider for RP-initiated logout
      session[:id_token_hint] = auth.credentials&.id_token if auth.credentials&.id_token
      session[:sso_login_provider] = auth.provider

      # MFA check: If user has MFA enabled, require verification
      if user.otp_required?
        session[:mfa_user_id] = user.id
        redirect_to verify_mfa_path
      else
        @session = create_session_for(user)
        redirect_to root_path
      end
    else
      # Mobile SSO with no linked identity - redirect back with error
      if session[:mobile_sso].present?
        session.delete(:mobile_sso)
        mobile_sso_redirect(error: "account_not_linked", message: "Please link your Google account from the web app first")
        return
      end

      # No existing OIDC identity - need to link to account
      # Store auth data in session and redirect to linking page
      session[:pending_oidc_auth] = {
        provider: auth.provider,
        uid: auth.uid,
        email: auth.info&.email,
        name: auth.info&.name,
        first_name: auth.info&.first_name,
        last_name: auth.info&.last_name
      }
      redirect_to link_oidc_account_path
    end
  end

  def failure
    # Sanitize reason to known values only
    known_reasons = %w[sso_provider_unavailable sso_invalid_response sso_failed]
    sanitized_reason = known_reasons.include?(params[:message]) ? params[:message] : "sso_failed"

    # Log failed SSO attempt
    SsoAuditLog.log_login_failed!(
      provider: params[:strategy],
      request: request,
      reason: sanitized_reason
    )

    # Mobile SSO: redirect back to the app with error instead of web login page
    if session[:mobile_sso].present?
      session.delete(:mobile_sso)
      mobile_sso_redirect(error: sanitized_reason, message: "SSO authentication failed")
      return
    end

    message = case sanitized_reason
    when "sso_provider_unavailable"
      t("sessions.failure.sso_provider_unavailable")
    when "sso_invalid_response"
      t("sessions.failure.sso_invalid_response")
    else
      t("sessions.failure.sso_failed")
    end

    redirect_to new_session_path, alert: message
  end

  private
    def handle_mobile_sso_callback(user)
      device_info = session.delete(:mobile_sso)

      unless device_info.present?
        mobile_sso_redirect(error: "missing_session", message: "Mobile SSO session expired")
        return
      end

      device = MobileDevice.upsert_device!(user, device_info.symbolize_keys)
      token_response = device.issue_token!

      # Store tokens behind a one-time authorization code instead of passing in URL
      authorization_code = SecureRandom.urlsafe_base64(32)
      Rails.cache.write(
        "mobile_sso:#{authorization_code}",
        token_response.merge(
          user_id: user.id,
          user_email: user.email,
          user_first_name: user.first_name,
          user_last_name: user.last_name
        ),
        expires_in: 5.minutes
      )

      mobile_sso_redirect(code: authorization_code)
    rescue ActiveRecord::RecordInvalid => e
      Rails.logger.warn("[Mobile SSO] Device save failed: #{e.record.errors.full_messages.join(', ')}")
      mobile_sso_redirect(error: "device_error", message: "Unable to register device")
    end

    def mobile_sso_redirect(params = {})
      redirect_to "sureapp://oauth/callback?#{params.to_query}", allow_other_host: true
    end

    def set_session
      @session = Current.user.sessions.find(params[:id])
    end

    def log_super_admin_override_login(user)
      # Only log when local login is globally disabled but an emergency
      # super-admin override is enabled.
      return if AuthConfig.local_login_enabled?
      return unless AuthConfig.local_admin_override_enabled?
      return unless user&.super_admin?

      Rails.logger.info("[AUTH] Super admin override login: user_id=#{user.id} email=#{user.email}")
    end

    def demo_host_match?(demo)
      return false unless demo.present? && demo["hosts"].present?

      demo["hosts"].include?(request.host)
    end

    def build_idp_logout_url(oidc_identity, id_token)
      # Find the provider configuration using unified loader (supports both YAML and DB providers)
      provider_config = ProviderLoader.load_providers.find do |p|
        p[:name] == oidc_identity.provider
      end

      return nil unless provider_config

      # For OIDC providers, fetch end_session_endpoint from discovery
      if provider_config[:strategy] == "openid_connect" && provider_config[:issuer].present?
        begin
          discovery_url = discovery_url_for(provider_config[:issuer])
          response = Faraday.get(discovery_url) do |req|
            req.options.timeout = 5
            req.options.open_timeout = 3
          end

          return nil unless response.success?

          discovery = JSON.parse(response.body)
          end_session_endpoint = discovery["end_session_endpoint"]

          return nil unless end_session_endpoint.present?

          # Build the logout URL with post_logout_redirect_uri
          post_logout_redirect = "#{request.base_url}/auth/logout/callback"
          params = {
            id_token_hint: id_token,
            post_logout_redirect_uri: post_logout_redirect
          }

          "#{end_session_endpoint}?#{params.to_query}"
        rescue Faraday::Error, JSON::ParserError, StandardError => e
          Rails.logger.warn("[SSO] Failed to fetch OIDC discovery for logout: #{e.message}")
          nil
        end
      else
        nil
      end
    end

    def discovery_url_for(issuer)
      if issuer.end_with?("/")
        "#{issuer}.well-known/openid-configuration"
      else
        "#{issuer}/.well-known/openid-configuration"
      end
    end
end