GT-1839, implement facebook auth

.env

@@ -35,3 +35,6 @@ ADOBE_CAMPAIGN_SIGNED_JWT=asdf
 OKTA_SERVER_URL=https://dev1-signon.okta.com
 OKTA_SERVER_PATH=https://dev1-signon.okta.com
 OKTA_SERVER_AUDIENCE=https://dev1-signon.okta.com
+
+FACEBOOK_APP_ID=facebook_app_id
+FACEBOOK_APP_SECRET=facebook_app_secret

Gemfile.lock

@@ -3,40 +3,40 @@ GEM
   specs:
     action-cable-testing (0.6.1)
       actioncable (>= 5.0)
-    actioncable (6.1.7.1)
-      actionpack (= 6.1.7.1)
-      activesupport (= 6.1.7.1)
+    actioncable (6.1.7.3)
+      actionpack (= 6.1.7.3)
+      activesupport (= 6.1.7.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.1.7.1)
-      actionpack (= 6.1.7.1)
-      activejob (= 6.1.7.1)
-      activerecord (= 6.1.7.1)
-      activestorage (= 6.1.7.1)
-      activesupport (= 6.1.7.1)
+    actionmailbox (6.1.7.3)
+      actionpack (= 6.1.7.3)
+      activejob (= 6.1.7.3)
+      activerecord (= 6.1.7.3)
+      activestorage (= 6.1.7.3)
+      activesupport (= 6.1.7.3)
       mail (>= 2.7.1)
-    actionmailer (6.1.7.1)
-      actionpack (= 6.1.7.1)
-      actionview (= 6.1.7.1)
-      activejob (= 6.1.7.1)
-      activesupport (= 6.1.7.1)
+    actionmailer (6.1.7.3)
+      actionpack (= 6.1.7.3)
+      actionview (= 6.1.7.3)
+      activejob (= 6.1.7.3)
+      activesupport (= 6.1.7.3)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.1.7.1)
-      actionview (= 6.1.7.1)
-      activesupport (= 6.1.7.1)
+    actionpack (6.1.7.3)
+      actionview (= 6.1.7.3)
+      activesupport (= 6.1.7.3)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.1.7.1)
-      actionpack (= 6.1.7.1)
-      activerecord (= 6.1.7.1)
-      activestorage (= 6.1.7.1)
-      activesupport (= 6.1.7.1)
+    actiontext (6.1.7.3)
+      actionpack (= 6.1.7.3)
+      activerecord (= 6.1.7.3)
+      activestorage (= 6.1.7.3)
+      activesupport (= 6.1.7.3)
       nokogiri (>= 1.8.5)
-    actionview (6.1.7.1)
-      activesupport (= 6.1.7.1)
+    actionview (6.1.7.3)
+      activesupport (= 6.1.7.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
@@ -51,22 +51,22 @@ GEM
       activemodel (>= 5.2.0)
       activestorage (>= 5.2.0)
       activesupport (>= 5.2.0)
-    activejob (6.1.7.1)
-      activesupport (= 6.1.7.1)
+    activejob (6.1.7.3)
+      activesupport (= 6.1.7.3)
       globalid (>= 0.3.6)
-    activemodel (6.1.7.1)
-      activesupport (= 6.1.7.1)
-    activerecord (6.1.7.1)
-      activemodel (= 6.1.7.1)
-      activesupport (= 6.1.7.1)
-    activestorage (6.1.7.1)
-      actionpack (= 6.1.7.1)
-      activejob (= 6.1.7.1)
-      activerecord (= 6.1.7.1)
-      activesupport (= 6.1.7.1)
+    activemodel (6.1.7.3)
+      activesupport (= 6.1.7.3)
+    activerecord (6.1.7.3)
+      activemodel (= 6.1.7.3)
+      activesupport (= 6.1.7.3)
+    activestorage (6.1.7.3)
+      actionpack (= 6.1.7.3)
+      activejob (= 6.1.7.3)
+      activerecord (= 6.1.7.3)
+      activesupport (= 6.1.7.3)
       marcel (~> 1.0)
       mini_mime (>= 1.1.0)
-    activesupport (6.1.7.1)
+    activesupport (6.1.7.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -118,7 +118,7 @@ GEM
     case_transform (0.2)
       activesupport
     coderay (1.1.3)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.2)
     crack (0.4.5)
       rexml
     crass (1.0.6)
@@ -159,7 +159,7 @@ GEM
       mime-types (>= 1.0)
     formatador (0.3.0)
     gems (1.2.0)
-    globalid (1.0.1)
+    globalid (1.1.0)
       activesupport (>= 5.0)
     google-api-client (0.53.0)
       google-apis-core (~> 0.1)
@@ -241,7 +241,7 @@ GEM
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     lumberjack (1.2.8)
-    mail (2.8.0.1)
+    mail (2.8.1)
       mini_mime (>= 0.1.1)
       net-imap
       net-pop
@@ -256,7 +256,7 @@ GEM
     mini_magick (4.11.0)
     mini_mime (1.1.2)
     mini_portile2 (2.8.1)
-    minitest (5.17.0)
+    minitest (5.18.0)
     msgpack (1.6.1)
     multi_json (1.15.0)
     multi_xml (0.6.0)
@@ -300,42 +300,42 @@ GEM
     puma (5.6.5)
       nio4r (~> 2.0)
     racc (1.6.2)
-    rack (2.2.6.3)
+    rack (2.2.6.4)
     rack-cors (2.0.0)
       rack (>= 2.0.0)
     rack-mini-profiler (3.0.0)
       rack (>= 1.2.0)
     rack-protection (2.2.3)
       rack
-    rack-test (2.0.2)
+    rack-test (2.1.0)
       rack (>= 1.3)
     raddocs (2.2.0)
       haml (>= 4.0)
       json
       sinatra (~> 2.0)
-    rails (6.1.7.1)
-      actioncable (= 6.1.7.1)
-      actionmailbox (= 6.1.7.1)
-      actionmailer (= 6.1.7.1)
-      actionpack (= 6.1.7.1)
-      actiontext (= 6.1.7.1)
-      actionview (= 6.1.7.1)
-      activejob (= 6.1.7.1)
-      activemodel (= 6.1.7.1)
-      activerecord (= 6.1.7.1)
-      activestorage (= 6.1.7.1)
-      activesupport (= 6.1.7.1)
+    rails (6.1.7.3)
+      actioncable (= 6.1.7.3)
+      actionmailbox (= 6.1.7.3)
+      actionmailer (= 6.1.7.3)
+      actionpack (= 6.1.7.3)
+      actiontext (= 6.1.7.3)
+      actionview (= 6.1.7.3)
+      activejob (= 6.1.7.3)
+      activemodel (= 6.1.7.3)
+      activerecord (= 6.1.7.3)
+      activestorage (= 6.1.7.3)
+      activesupport (= 6.1.7.3)
       bundler (>= 1.15.0)
-      railties (= 6.1.7.1)
+      railties (= 6.1.7.3)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.4)
+    rails-html-sanitizer (1.5.0)
       loofah (~> 2.19, >= 2.19.1)
-    railties (6.1.7.1)
-      actionpack (= 6.1.7.1)
-      activesupport (= 6.1.7.1)
+    railties (6.1.7.3)
+      actionpack (= 6.1.7.3)
+      activesupport (= 6.1.7.3)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
@@ -451,8 +451,8 @@ GEM
     temple (0.8.0)
     thor (1.2.1)
     tilt (2.0.11)
-    timeout (0.3.1)
-    tzinfo (2.0.5)
+    timeout (0.3.2)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     uber (0.1.0)
     unf (0.1.4)
@@ -480,7 +480,7 @@ GEM
     websocket-extensions (0.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.6.6)
+    zeitwerk (2.6.7)
 
 PLATFORMS
   ruby
@@ -544,4 +544,4 @@ RUBY VERSION
    ruby 3.0.5p211
 
 BUNDLED WITH
-   2.3.11
+   2.3.12

app/controllers/auth_controller.rb

@@ -2,7 +2,13 @@
 
 class AuthController < ApplicationController
   def create
-    token = data_attrs[:okta_access_token] ? auth_with_okta : auth_with_code
+    token = if data_attrs[:okta_access_token]
+      auth_with_okta
+    elsif data_attrs[:facebook_access_token]
+      auth_with_facebook
+    else
+      auth_with_code
+    end
     render json: token, status: :created if token
   end
 
@@ -30,4 +36,12 @@ def auth_with_okta
     render_bad_request e.message
     nil
   end
+
+  def auth_with_facebook
+    user = Facebook.find_user_by_access_token(data_attrs[:facebook_access_token])
+    AuthToken.new(user: user)
+  rescue Facebook::FailedAuthentication => e
+    render_bad_request e.message
+    nil
+  end
 end

app/controllers/deletion_requests_controller.rb

@@ -0,0 +1,25 @@
+class DeletionRequestsController < ApplicationController
+  # disable CSRF protection, as it doesn't make sense in this case
+  protect_from_forgery with: :null_session
+
+  def facebook
+    begin
+      dr = DeletionRequest.from_signed_fb(params["signed_request"])
+    rescue DeletionRequest::FailedAuthentication => e
+      render json: {"error" => e.to_s}
+      return
+    end
+
+    dr.run
+
+    render json: {
+      url: deletion_request_url(dr.pid),
+      confirmation_code: dr.pid
+    }
+  end
+
+  def show
+    dr = DeletionRequest.find_by_pid!(params[:id])
+    render json: {"data" => dr.deleted? ? "Your data has been completely deleted" : "Your deletion request is still in progress"}
+  end
+end

app/controllers/users_controller.rb

@@ -6,8 +6,6 @@ def show
   end
 
   def destroy
-    @user.user_counters.destroy_all
-    @user.favorite_tools.destroy_all
     @user.destroy!
     render json: "", status: 204
   end

app/models/deletion_request.rb

@@ -0,0 +1,57 @@
+class DeletionRequest < ApplicationRecord
+  validates_presence_of :uid, :provider, :pid
+
+  # there can only be one entry with given provider + uid
+  validates_uniqueness_of :uid, scope: :provider
+
+  before_validation :set_pid
+
+  def run
+    associated_user&.destroy!
+  end
+
+  def deleted?
+    associated_user.nil?
+  end
+
+  def self.from_signed_fb(req)
+    data = DeletionRequest.parse_fb_request(req)
+    return unless data
+    DeletionRequest.create(provider: "facebook", uid: data["user_id"])
+  end
+
+  def self.parse_fb_request(req)
+    encoded, payload = req.split(".", 2)
+    decoded = Base64.urlsafe_decode64(encoded)
+    data = JSON.parse(Base64.urlsafe_decode64(payload))
+
+    # we need to verify the digest is the same
+    exp = OpenSSL::HMAC.digest("SHA256", ENV["FACEBOOK_APP_SECRET"], payload)
+    raise FailedAuthentication, "FB deletion callback called with invalid data" if decoded != exp
+
+    data
+  end
+
+  private
+
+  def associated_user
+    # more providers will be added
+    case provider
+    when "facebook"
+      User.find_by(facebook_user_id: uid)
+    end
+  end
+
+  def set_pid
+    if pid.blank?
+      self.pid = random_pid
+    end
+  end
+
+  def random_pid
+    SecureRandom.hex(4)
+  end
+
+  class FailedAuthentication < StandardError
+  end
+end

app/models/user.rb

@@ -1,9 +1,9 @@
 class User < ApplicationRecord
-  has_many :user_counters
-  has_many :favorite_tools
+  has_many :user_counters, dependent: :destroy
+  has_many :favorite_tools, dependent: :destroy
   has_many :tools, through: :favorite_tools
 
-  validates :sso_guid, uniqueness: true, presence: true
+  validates :sso_guid, uniqueness: true, presence: {unless: -> { facebook_user_id.present? }}
 
   # while the email needs to be validated case-insensitively, we'll
   # let Rails pass the insensitive check down to postgres's citext type