Merge branch 'master' into registry-790

2025-06-06 20:55:44 +02:00 · 2018-08-27 15:24:05 +03:00 · 2018-08-27 15:24:05 +03:00 · 3d51a93f95
commit 3d51a93f95
parent 4b2948986b a2361789e4
104 changed files with 728 additions and 557 deletions
--- a/app/api/repp/api.rb
+++ b/app/api/repp/api.rb
@ -4,7 +4,7 @@ module Repp
    prefix :repp
    http_basic do |username, password|
-      @current_user ||= ApiUser.find_by(username: username, password: password)
+      @current_user ||= ApiUser.find_by(username: username, plain_text_password: password)
      if @current_user
        true
      else
--- a/app/controllers/admin/api_users_controller.rb
+++ b/app/controllers/admin/api_users_controller.rb
@ -32,7 +32,10 @@ module Admin
    end
    def update
-      params[:api_user].delete(:password) if params[:api_user][:password].blank?
+      if params[:api_user][:plain_text_password].blank?
        params[:api_user].delete(:plain_text_password)
      end
      if @api_user.update(api_user_params)
        flash[:notice] = I18n.t('record_updated')
        redirect_to [:admin, @api_user]
@ -59,7 +62,7 @@ module Admin
    end
    def api_user_params
-      params.require(:api_user).permit(:username, :password, :active,
+      params.require(:api_user).permit(:username, :plain_text_password, :active,
                                       :registrar_id, :registrar_typeahead,
                                       :identity_code, { roles: [] })
    end
--- a/app/controllers/admin/base_controller.rb
+++ b/app/controllers/admin/base_controller.rb
@ -1,10 +1,20 @@
 module Admin
  class BaseController < ApplicationController
-    before_action :authenticate_user!
+    before_action :authenticate_admin_user!
    helper_method :head_title_sufix
    def head_title_sufix
      t(:admin_head_title_sufix)
    end
    private
    def current_ability
      @current_ability ||= Ability.new(current_admin_user)
    end
    def user_for_paper_trail
      current_admin_user ? current_admin_user.id_role_username : 'anonymous'
    end
  end
-end
+end
--- a/app/controllers/admin/dashboard_controller.rb
+++ b/app/controllers/admin/dashboard_controller.rb
@ -0,0 +1,7 @@
 module Admin
  class DashboardController < BaseController
    authorize_resource class: false
    def show; end
  end
 end
--- a/app/controllers/admin/dashboards_controller.rb
+++ b/app/controllers/admin/dashboards_controller.rb
@ -1,9 +0,0 @@
 module Admin
  class DashboardsController < BaseController
    authorize_resource class: false
    def show
      redirect_to [:admin, :domains] if can? :show, Domain
    end
  end
 end
--- a/app/controllers/admin/pending_deletes_controller.rb
+++ b/app/controllers/admin/pending_deletes_controller.rb
@ -6,7 +6,7 @@ module Admin
    def update
      authorize! :update, :pending
-      if registrant_verification.domain_registrant_delete_confirm!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_delete_confirm!("admin #{current_admin_user.username}")
        redirect_to admin_domain_path(@domain.id), notice: t(:pending_applied)
      else
        redirect_to admin_domain_path(@domain.id), alert: t(:failure)
@ -16,7 +16,7 @@ module Admin
    def destroy
      authorize! :destroy, :pending
-      if registrant_verification.domain_registrant_delete_reject!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_delete_reject!("admin #{current_admin_user.username}")
        redirect_to admin_domain_path(@domain.id), notice: t(:pending_removed)
      else
        redirect_to admin_domain_path(@domain.id), alert: t(:failure)
--- a/app/controllers/admin/pending_updates_controller.rb
+++ b/app/controllers/admin/pending_updates_controller.rb
@ -6,7 +6,7 @@ module Admin
    def update
      authorize! :update, :pending
-      if registrant_verification.domain_registrant_change_confirm!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_change_confirm!("admin #{current_admin_user.username}")
        redirect_to admin_domain_path(@domain.id), notice: t(:pending_applied)
      else
        redirect_to edit_admin_domain_path(@domain.id), alert: t(:failure)
@ -15,7 +15,7 @@ module Admin
    def destroy
      authorize! :destroy, :pending
-      if registrant_verification.domain_registrant_change_reject!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_change_reject!("admin #{current_admin_user.username}")
        redirect_to admin_domain_path(@domain.id), notice: t(:pending_removed)
      else
        redirect_to admin_domain_path(@domain.id), alert: t(:failure)
--- a/app/controllers/admin/sessions_controller.rb
+++ b/app/controllers/admin/sessions_controller.rb
@ -1,28 +1,17 @@
 module Admin
  class SessionsController < Devise::SessionsController
-    skip_authorization_check only: :create
+    private
-    def login
+    def after_sign_in_path_for(_resource_or_scope)
-      @admin_user = AdminUser.new
+      admin_domains_path
    end
-    def create
+    def after_sign_out_path_for(_resource_or_scope)
-      if params[:admin_user].blank?
+      new_admin_user_session_path
-        @admin_user = AdminUser.new
+    end
        flash[:alert] = 'Something went wrong'
        return render 'login'
      end
-      @admin_user = AdminUser.find_by(username: params[:admin_user][:username])
+    def user_for_paper_trail
-      @admin_user ||= AdminUser.new(username: params[:admin_user][:username])
+      current_admin_user ? current_admin_user.id_role_username : 'anonymous'
      if @admin_user.valid_password?(params[:admin_user][:password])
        sign_in @admin_user, event: :authentication
        redirect_to admin_root_url, notice: I18n.t(:welcome)
      else
        flash[:alert] = 'Authorization error'
        render 'login'
      end
    end
  end
-end
+end
--- a/app/controllers/api/v1/registrant/contacts_controller.rb
+++ b/app/controllers/api/v1/registrant/contacts_controller.rb
@ -35,7 +35,7 @@ module Api
        private
        def set_contacts_pool
-          country_code, ident = current_user.registrant_ident.to_s.split '-'
+          country_code, ident = current_registrant_user.registrant_ident.to_s.split '-'
          associated_domain_ids = begin
            BusinessRegistryCache.fetch_by_ident_and_cc(ident, country_code).associated_domain_ids
          end
--- a/app/controllers/api/v1/registrant/domains_controller.rb
+++ b/app/controllers/api/v1/registrant/domains_controller.rb
@ -16,12 +16,12 @@ module Api
                   status: :bad_request) && return
          end
-          @domains = associated_domains(current_user).limit(limit).offset(offset)
+          @domains = associated_domains(current_registrant_user).limit(limit).offset(offset)
          render json: @domains
        end
        def show
-          domain_pool = associated_domains(current_user)
+          domain_pool = associated_domains(current_registrant_user)
          @domain = domain_pool.find_by(uuid: params[:uuid])
          if @domain
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -12,63 +12,15 @@ class ApplicationController < ActionController::Base
  end
  rescue_from CanCan::AccessDenied do |exception|
-    redirect_to current_root_url, alert: exception.message
+    redirect_to root_url, alert: exception.message
  end
  helper_method :registrant_request?, :registrar_request?, :admin_request?, :current_root_url
  helper_method :available_languages
  def registrant_request?
    request.path.match(/^\/registrant/)
  end
  def registrar_request?
    request.path.match(/^\/registrar/)
  end
  def admin_request?
    request.path.match(/^\/admin/)
  end
  def current_root_url
    if registrar_request?
      registrar_root_url
    elsif registrant_request?
      registrant_login_url
    elsif admin_request?
      admin_root_url
    end
  end
  def after_sign_in_path_for(_resource)
    rt = session[:user_return_to].to_s.presence
    login_paths = [admin_login_path, registrar_login_path, '/login']
    return rt if rt && !login_paths.include?(rt)
    current_root_url
  end
  def after_sign_out_path_for(_resource)
    if registrar_request?
      registrar_login_url
    elsif registrant_request?
      registrant_login_url
    elsif admin_request?
      admin_login_url
    end
  end
  def info_for_paper_trail
    { uuid: request.uuid }
  end
  def user_for_paper_trail
    user_log_str(current_user)
  end
  def user_log_str(user)
    user.nil? ? 'public' : user.id_role_username
  end
  def comma_support_for(parent_key, key)
    return if params[parent_key].blank?
    return if params[parent_key][key].blank?
@ -80,4 +32,4 @@ class ApplicationController < ActionController::Base
  def available_languages
    { en: 'English', et: 'Estonian' }.invert
  end
-end
+end
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@ -81,7 +81,7 @@ class Epp::SessionsController < EppController
    if success
      if params[:parsed_frame].css('newPW').first
-        unless @api_user.update(password: params[:parsed_frame].css('newPW').first.text)
+        unless @api_user.update(plain_text_password: params[:parsed_frame].css('newPW').first.text)
          response.headers['X-EPP-Returncode'] = '2500'
          handle_errors(@api_user) and return
        end
@ -128,7 +128,7 @@ class Epp::SessionsController < EppController
  def login_params
    user = params[:parsed_frame].css('clID').first.text
    pw = params[:parsed_frame].css('pw').first.text
-    { username: user, password: pw }
+    { username: user, plain_text_password: pw }
  end
  private
--- a/app/controllers/registrant/contacts_controller.rb
+++ b/app/controllers/registrant/contacts_controller.rb
@ -3,7 +3,6 @@ class Registrant::ContactsController < RegistrantController
  def show
    @contact = Contact.where(id: contacts).find_by(id: params[:id])
    @current_user = current_user
    authorize! :read, @contact
  end
@ -22,7 +21,7 @@ class Registrant::ContactsController < RegistrantController
  def domain_ids
    @domain_ids ||= begin
-      ident_cc, ident = @current_user.registrant_ident.to_s.split '-'
+      ident_cc, ident = current_registrant_user.registrant_ident.to_s.split '-'
      BusinessRegistryCache.fetch_by_ident_and_cc(ident, ident_cc).associated_domain_ids
    end
  end
--- a/app/controllers/registrant/domain_delete_confirms_controller.rb
+++ b/app/controllers/registrant/domain_delete_confirms_controller.rb
@ -19,7 +19,8 @@ class Registrant::DomainDeleteConfirmsController < RegistrantController
                                                          domain_name: @domain.name,
                                                          verification_token: params[:token])
-    initiator = current_user ? current_user.username : t(:user_not_authenticated)
+    initiator = current_registrant_user ? current_registrant_user.username :
                  t(:user_not_authenticated)
    if params[:rejected]
      if @registrant_verification.domain_registrant_delete_reject!("email link #{initiator}")
--- a/app/controllers/registrant/domain_update_confirms_controller.rb
+++ b/app/controllers/registrant/domain_update_confirms_controller.rb
@ -19,7 +19,8 @@ class Registrant::DomainUpdateConfirmsController < RegistrantController
                                                          domain_name: @domain.name,
                                                          verification_token: params[:token])
-    initiator = current_user ? current_user.username : t(:user_not_authenticated)
+    initiator = current_registrant_user ? current_registrant_user.username :
                  t(:user_not_authenticated)
    if params[:rejected]
      if @registrant_verification.domain_registrant_change_reject!("email link, #{initiator}")
--- a/app/controllers/registrant/domains_controller.rb
+++ b/app/controllers/registrant/domains_controller.rb
@ -54,13 +54,13 @@ class Registrant::DomainsController < RegistrantController
  end
  def domains
-    ident_cc, ident = @current_user.registrant_ident.split '-'
+    ident_cc, ident = current_registrant_user.registrant_ident.split '-'
    begin
      BusinessRegistryCache.fetch_associated_domains ident, ident_cc
    rescue Soap::Arireg::NotAvailableError => error
      flash[:notice] = I18n.t(error.json[:message])
      Rails.logger.fatal("[EXCEPTION] #{error.to_s}")
-      current_user.domains
+      current_registrant_user.domains
    end
  end
--- a/app/controllers/registrant/sessions_controller.rb
+++ b/app/controllers/registrant/sessions_controller.rb
@ -1,8 +1,7 @@
 class Registrant::SessionsController < Devise::SessionsController
  layout 'registrant/application'
-  def login
+  def new; end
  end
  def id
    id_code, id_issuer = request.env['SSL_CLIENT_S_DN'], request.env['SSL_CLIENT_I_DN_O']
@ -10,11 +9,10 @@ class Registrant::SessionsController < Devise::SessionsController
    @user = RegistrantUser.find_or_create_by_idc_data(id_code, id_issuer)
    if @user
-      sign_in(@user, event: :authentication)
+      sign_in_and_redirect(:registrant_user, @user, event: :authentication)
      redirect_to registrant_root_url
    else
      flash[:alert] = t('login_failed_check_id_card')
-      redirect_to registrant_login_url
+      redirect_to new_registrant_user_session_url
    end
  end
@ -68,7 +66,7 @@ class Registrant::SessionsController < Devise::SessionsController
    when 'USER_AUTHENTICATED'
      @user = RegistrantUser.find_by(registrant_ident: "#{session[:user_country]}-#{session[:user_id_code]}")
-      sign_in @user
+      sign_in(:registrant_user, @user)
      flash[:notice] = t(:welcome)
      flash.keep(:notice)
      render js: "window.location = '#{registrant_root_path}'"
@ -97,4 +95,18 @@ class Registrant::SessionsController < Devise::SessionsController
    return User.new unless idc
    ApiUser.find_by(identity_code: idc) || User.new
  end
-end
+
  private
  def after_sign_in_path_for(_resource_or_scope)
    registrant_root_path
  end
  def after_sign_out_path_for(_resource_or_scope)
    new_registrant_user_session_path
  end
  def user_for_paper_trail
    current_registrant_user.present? ? current_registrant_user.id_role_username : 'anonymous'
  end
 end
--- a/app/controllers/registrant_controller.rb
+++ b/app/controllers/registrant_controller.rb
@ -1,11 +1,22 @@
 class RegistrantController < ApplicationController
-  before_action :authenticate_user!
+  before_action :authenticate_registrant_user!
  layout 'registrant/application'
  include Registrant::ApplicationHelper
  helper_method :head_title_sufix
  def head_title_sufix
    t(:registrant_head_title_sufix)
  end
-end
+
  private
  def current_ability
    @current_ability ||= Ability.new(current_registrant_user, request.remote_ip)
  end
  def user_for_paper_trail
    current_registrant_user.present? ? current_registrant_user.id_role_username : 'anonymous'
  end
 end
--- a/app/controllers/registrar/account_activities_controller.rb
+++ b/app/controllers/registrar/account_activities_controller.rb
@ -4,7 +4,7 @@ class Registrar
    def index
      params[:q] ||= {}
-      account = current_user.registrar.cash_account
+      account = current_registrar_user.registrar.cash_account
      ca_cache = params[:q][:created_at_lteq]
      begin
--- a/app/controllers/registrar/base_controller.rb
+++ b/app/controllers/registrar/base_controller.rb
@ -2,7 +2,7 @@ class Registrar
  class BaseController < ApplicationController
    include Registrar::ApplicationHelper
-    before_action :authenticate_user!
+    before_action :authenticate_registrar_user!
    before_action :check_ip_restriction
    helper_method :depp_controller?
    helper_method :head_title_sufix
@ -10,21 +10,21 @@ class Registrar
    protected
    def current_ability
-      @current_ability ||= Ability.new(current_user, request.remote_ip)
+      @current_ability ||= Ability.new(current_registrar_user, request.remote_ip)
    end
    private
    def check_ip_restriction
      ip_restriction = Authorization::RestrictedIP.new(request.ip)
-      allowed = ip_restriction.can_access_registrar_area?(current_user.registrar)
+      allowed = ip_restriction.can_access_registrar_area?(current_registrar_user.registrar)
      return if allowed
-      sign_out current_user
+      sign_out current_registrar_user
      flash[:alert] = t('registrar.authorization.ip_not_allowed', ip: request.ip)
-      redirect_to registrar_login_url
+      redirect_to new_registrar_user_session_url
    end
    def depp_controller?
@ -34,5 +34,9 @@ class Registrar
    def head_title_sufix
      t(:registrar_head_title_sufix)
    end
    def user_for_paper_trail
      current_registrar_user ? current_registrar_user.id_role_username : 'anonymous'
    end
  end
 end
--- a/app/controllers/registrar/bulk_change_controller.rb
+++ b/app/controllers/registrar/bulk_change_controller.rb
@ -10,7 +10,7 @@ class Registrar
    private
    def available_contacts
-      current_user.registrar.contacts.order(:name).pluck(:name, :code)
+      current_registrar_user.registrar.contacts.order(:name).pluck(:name, :code)
    end
    def default_tab
--- a/app/controllers/registrar/contacts_controller.rb
+++ b/app/controllers/registrar/contacts_controller.rb
@ -21,11 +21,11 @@ class Registrar
      end
      if params[:statuses_contains]
-        contacts = current_user.registrar.contacts.includes(:registrar).where(
+        contacts = current_registrar_user.registrar.contacts.includes(:registrar).where(
          "contacts.statuses @> ?::varchar[]", "{#{params[:statuses_contains].join(',')}}"
        )
      else
-        contacts = current_user.registrar.contacts.includes(:registrar)
+        contacts = current_registrar_user.registrar.contacts.includes(:registrar)
      end
      normalize_search_parameters do
@ -45,7 +45,7 @@ class Registrar
        @contacts = Contact.find_by(name: params[:q][:name_matches])
      end
-      contacts = current_user.registrar.contacts.includes(:registrar)
+      contacts = current_registrar_user.registrar.contacts.includes(:registrar)
      contacts = contacts.filter_by_states(params[:statuses_contains]) if params[:statuses_contains]
      normalize_search_parameters do
--- a/app/controllers/registrar/current_user_controller.rb
+++ b/app/controllers/registrar/current_user_controller.rb
@ -3,9 +3,9 @@ class Registrar
    skip_authorization_check
    def switch
-      raise 'Cannot switch to unlinked user' unless current_user.linked_with?(new_user)
+      raise 'Cannot switch to unlinked user' unless current_registrar_user.linked_with?(new_user)
-      sign_in(new_user)
+      sign_in(:registrar_user, new_user)
      redirect_to :back, notice: t('.switched', new_user: new_user)
    end
--- a/app/controllers/registrar/dashboard_controller.rb
+++ b/app/controllers/registrar/dashboard_controller.rb
@ -1,13 +0,0 @@
 class Registrar
  class DashboardController < BaseController
    authorize_resource class: false
    def show
      if can?(:show, :poll)
        redirect_to registrar_poll_url and return
      elsif can?(:show, Invoice)
        redirect_to registrar_invoices_url and return
      end
    end
  end
 end
--- a/app/controllers/registrar/deposits_controller.rb
+++ b/app/controllers/registrar/deposits_controller.rb
@ -7,7 +7,7 @@ class Registrar
    end
    def create
-      @deposit = Deposit.new(deposit_params.merge(registrar: current_user.registrar))
+      @deposit = Deposit.new(deposit_params.merge(registrar: current_registrar_user.registrar))
      @invoice = @deposit.issue_prepayment_invoice
      if @invoice
--- a/app/controllers/registrar/depp_controller.rb
+++ b/app/controllers/registrar/depp_controller.rb
@ -5,13 +5,13 @@ class Registrar
    rescue_from(Errno::ECONNRESET, Errno::ECONNREFUSED) do |exception|
      logger.error 'COULD NOT CONNECT TO REGISTRY'
      logger.error exception.backtrace.join("\n")
-      redirect_to registrar_login_url, alert: t(:no_connection_to_registry)
+      redirect_to new_registrar_user_session_url, alert: t(:no_connection_to_registry)
    end
    before_action :authenticate_user
    def authenticate_user
-      redirect_to registrar_login_url and return unless depp_current_user
+      redirect_to new_registrar_user_session_url and return unless depp_current_user
    end
    def depp_controller?
@ -19,10 +19,10 @@ class Registrar
    end
    def depp_current_user
-      return nil unless current_user
+      return nil unless current_registrar_user
      @depp_current_user ||= Depp::User.new(
-        tag: current_user.username,
+        tag: current_registrar_user.username,
-        password: current_user.password
+        password: current_registrar_user.plain_text_password
      )
    end
--- a/app/controllers/registrar/domain_transfers_controller.rb
+++ b/app/controllers/registrar/domain_transfers_controller.rb
@ -21,7 +21,8 @@ class Registrar
        uri = URI.parse("#{ENV['repp_url']}domain_transfers")
        request = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')
        request.body = { data: { domainTransfers: domain_transfers } }.to_json
-        request.basic_auth(current_user.username, current_user.password)
+        request.basic_auth(current_registrar_user.username,
                           current_registrar_user.plain_text_password)
        if Rails.env.test?
--- a/app/controllers/registrar/domains_controller.rb
+++ b/app/controllers/registrar/domains_controller.rb
@ -16,11 +16,11 @@ class Registrar
      end
      if params[:statuses_contains]
-        domains = current_user.registrar.domains.includes(:registrar, :registrant).where(
+        domains = current_registrar_user.registrar.domains.includes(:registrar, :registrant).where(
          "statuses @> ?::varchar[]", "{#{params[:statuses_contains].join(',')}}"
        )
      else
-        domains = current_user.registrar.domains.includes(:registrar, :registrant)
+        domains = current_registrar_user.registrar.domains.includes(:registrar, :registrant)
      end
      normalize_search_parameters do
@ -142,7 +142,7 @@ class Registrar
    def search_contacts
      authorize! :create, Depp::Domain
-      scope = current_user.registrar.contacts.limit(10)
+      scope = current_registrar_user.registrar.contacts.limit(10)
      if params[:query].present?
        escaped_str = ActiveRecord::Base.connection.quote_string params[:query]
        scope = scope.where("name ilike '%#{escaped_str}%' OR code ilike '%#{escaped_str}%' ")
@ -159,7 +159,7 @@ class Registrar
    def contacts
-      current_user.registrar.contacts
+      current_registrar_user.registrar.contacts
    end
    def normalize_search_parameters
--- a/app/controllers/registrar/invoices_controller.rb
+++ b/app/controllers/registrar/invoices_controller.rb
@ -6,7 +6,8 @@ class Registrar
    def index
      params[:q] ||= {}
-      invoices = current_user.registrar.invoices.includes(:invoice_items, :account_activity)
+      invoices = current_registrar_user.registrar.invoices
                   .includes(:invoice_items, :account_activity)
      normalize_search_parameters do
        @q = invoices.search(params[:q])
--- a/app/controllers/registrar/nameservers_controller.rb
+++ b/app/controllers/registrar/nameservers_controller.rb
@ -12,7 +12,8 @@ class Registrar
                               attributes: { hostname: params[:new_hostname],
                                             ipv4: ipv4,
                                             ipv6: ipv6 } } }.to_json
-      request.basic_auth(current_user.username, current_user.password)
+      request.basic_auth(current_registrar_user.username,
                         current_registrar_user.plain_text_password)
      if Rails.env.test?
        response = Net::HTTP.start(uri.hostname, uri.port,
--- a/app/controllers/registrar/profile_controller.rb
+++ b/app/controllers/registrar/profile_controller.rb
@ -5,13 +5,13 @@ class Registrar
    helper_method :linked_users
    def show
-      @user = current_user
+      @user = current_registrar_user
    end
    private
    def linked_users
-      current_user.linked_users
+      current_registrar_user.linked_users
    end
  end
 end
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@ -3,12 +3,8 @@ class Registrar
    before_action :check_ip_restriction
    helper_method :depp_controller?
    def login
      @depp_user = Depp::User.new
    end
    def create
-      @depp_user = Depp::User.new(params[:depp_user].merge(pki: !(Rails.env.development? || Rails.env.test?)))
+      @depp_user = Depp::User.new(depp_user_params)
      if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'].blank?
        @depp_user.errors.add(:base, :webserver_missing_user_name_directive)
@ -26,11 +22,12 @@ class Registrar
        @depp_user.errors.add(:base, :webserver_client_cert_directive_should_be_required)
      end
-      @api_user = ApiUser.find_by(username: params[:depp_user][:tag], password: params[:depp_user][:password])
+      @api_user = ApiUser.find_by(username: sign_in_params[:username],
                                  plain_text_password: sign_in_params[:password])
      unless @api_user
        @depp_user.errors.add(:base, t(:no_such_user))
-        render 'login' and return
+        show_error and return
      end
      if @depp_user.pki
@ -41,14 +38,13 @@ class Registrar
      if @depp_user.errors.none?
        if @api_user.active?
-          sign_in @api_user
+          sign_in_and_redirect(:registrar_user, @api_user)
          redirect_to registrar_root_url
        else
          @depp_user.errors.add(:base, :not_active)
-          render 'login'
+          show_error and return
        end
      else
-        render 'login'
+        show_error and return
      end
    end
@ -56,11 +52,10 @@ class Registrar
      @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'], request.ip)
      if @user
-        sign_in(@user, event: :authentication)
+        sign_in_and_redirect(:registrar_user, @user, event: :authentication)
        redirect_to registrar_root_url
      else
        flash[:alert] = t('no_such_user')
-        redirect_to registrar_login_url
+        redirect_to new_registrar_user_session_url
      end
    end
@ -117,7 +112,7 @@ class Registrar
          render json: { message: t(:check_your_phone_for_confirmation_code) }, status: :ok
        when 'USER_AUTHENTICATED'
          @user = find_user_by_idc_and_allowed(session[:user_id_code])
-          sign_in @user
+          sign_in(:registrar_user, @user)
          flash[:notice] = t(:welcome)
          flash.keep(:notice)
          render js: "window.location = '#{registrar_root_url}'"
@ -163,8 +158,6 @@ class Registrar
      end
    end
    def check_ip_restriction
      ip_restriction = Authorization::RestrictedIP.new(request.ip)
      allowed = ip_restriction.can_access_registrar_area_sign_in_page?
@ -173,5 +166,36 @@ class Registrar
      render text: t('registrar.authorization.ip_not_allowed', ip: request.ip)
    end
    def current_ability
      @current_ability ||= Ability.new(current_registrar_user, request.remote_ip)
    end
    def after_sign_in_path_for(_resource_or_scope)
      if can?(:show, :poll)
        registrar_root_path
      else
        registrar_profile_path
      end
    end
    def after_sign_out_path_for(_resource_or_scope)
      new_registrar_user_session_path
    end
    def user_for_paper_trail
      current_registrar_user ? current_registrar_user.id_role_username : 'anonymous'
    end
    def depp_user_params
      params = sign_in_params
      params[:tag] = params.delete(:username)
      params.merge!(pki: !(Rails.env.development? || Rails.env.test?))
      params
    end
    def show_error
      redirect_to new_registrar_user_session_url, alert: @depp_user.errors.full_messages.first
    end
  end
-end
+end
--- a/app/controllers/registrar/tech_contacts_controller.rb
+++ b/app/controllers/registrar/tech_contacts_controller.rb
@ -8,7 +8,8 @@ class Registrar
      request = Net::HTTP::Patch.new(uri)
      request.set_form_data(current_contact_id: params[:current_contact_id],
                            new_contact_id: params[:new_contact_id])
-      request.basic_auth(current_user.username, current_user.password)
+      request.basic_auth(current_registrar_user.username,
                         current_registrar_user.plain_text_password)
      if Rails.env.test?
        response = Net::HTTP.start(uri.hostname, uri.port,
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -89,4 +89,8 @@ module ApplicationHelper
    types.delete('ddoc')
    ".#{types.join(',.')}"
  end
-end
+
  def body_css_class
    [controller_path.split('/').map!(&:dasherize), action_name.dasherize, 'page'].join('-')
  end
 end
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -31,8 +31,6 @@ class Ability
  end
  def epp # Registrar/api_user dynamic role
    can :view, :registrar_dashboard
    if @user.registrar.api_ip_white?(@ip)
      can :manage, :poll
      can :manage, Depp::Contact
@ -71,7 +69,6 @@ class Ability
  end
  def billing # Registrar/api_user dynamic role
    can :view, :registrar_dashboard
    can(:manage, Invoice) { |i| i.buyer_id == @user.registrar_id }
    can :manage, :deposit
    can :read, AccountActivity
--- a/app/models/admin_user.rb
+++ b/app/models/admin_user.rb
@ -9,7 +9,8 @@ class AdminUser < User
  ROLES = %w(user customer_service admin) # should not match to api_users roles
-  devise :database_authenticatable, :rememberable, :trackable, :validatable, :lockable
+  devise :database_authenticatable, :trackable, :validatable, :timeoutable,
         authentication_keys: [:username]
  def self.min_password_length
    Devise.password_length.min
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@ -2,11 +2,12 @@ require 'open3'
 class ApiUser < User
  include EppErrors
  devise :database_authenticatable, :trackable, :timeoutable, authentication_keys: [:username]
  def epp_code_map
    {
      '2306' => [ # Parameter policy error
-        [:password, :blank]
+        %i[plain_text_password blank]
      ]
    }
  end
@ -19,8 +20,8 @@ class ApiUser < User
  belongs_to :registrar
  has_many :certificates
-  validates :username, :password, :registrar, :roles, presence: true
+  validates :username, :plain_text_password, :registrar, :roles, presence: true
-  validates :password, length: { minimum: min_password_length }
+  validates :plain_text_password, length: { minimum: min_password_length }
  validates :username, uniqueness: true
  delegate :code, :name, to: :registrar, prefix: true
@ -30,6 +31,7 @@ class ApiUser < User
  SUPER = 'super'
  EPP = 'epp'
  BILLING = 'billing'
  ROLES = %w(super epp billing) # should not match to admin roles
--- a/app/models/registrant_user.rb
+++ b/app/models/registrant_user.rb
@ -2,6 +2,8 @@ class RegistrantUser < User
  ACCEPTED_ISSUER = 'AS Sertifitseerimiskeskus'
  attr_accessor :idc_data
  devise :database_authenticatable, :trackable, :timeoutable
  def ability
    @ability ||= Ability.new(self)
  end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -1,6 +1,5 @@
 class User < ActiveRecord::Base
  include Versions # version/user_version.rb
  devise :trackable, :timeoutable
  attr_accessor :phone
--- a/app/views/admin/api_users/_form.haml
+++ b/app/views/admin/api_users/_form.haml
@ -11,9 +11,9 @@
          = f.text_field :username, required: true, autofocus: true, class: 'form-control'
      .form-group
        .col-md-4.control-label
-          = f.label :password, nil, class: 'required'
+          = f.label :plain_text_password, nil, class: 'required'
        .col-md-7
-          = f.text_field :password, required: true, class: 'form-control'
+          = f.text_field :plain_text_password, required: true, class: 'form-control'
      .form-group
        .col-md-4.control-label
--- a/app/views/admin/api_users/show.haml
+++ b/app/views/admin/api_users/show.haml
@ -21,7 +21,7 @@
          %dd= @api_user.username
          %dt= t(:password)
-          %dd= @api_user.password
+          %dd= @api_user.plain_text_password
          %dt= t(:registrar_name)
          %dd= link_to(@api_user.registrar, admin_registrar_path(@api_user.registrar))
--- a/app/views/admin/base/_menu.haml
+++ b/app/views/admin/base/_menu.haml
@ -39,6 +39,6 @@
          %li= link_to t('.repp_log'), admin_repp_logs_path(created_after: 'today')
          %li= link_to t('.que'), '/admin/que'
-  - if signed_in?
+  %ul.nav.navbar-nav.navbar-right
-    %ul.nav.navbar-nav.navbar-right
+    %li= link_to t('.sign_out'), destroy_admin_user_session_path, method: :delete,
-      %li= link_to t(:log_out, user: current_user), '/admin/logout'
+    class: 'navbar-link'
--- a/app/views/admin/dashboard/show.html.erb
+++ b/app/views/admin/dashboard/show.html.erb
--- a/app/views/admin/sessions/_links.html.erb
+++ b/app/views/admin/sessions/_links.html.erb
@ -0,0 +1,29 @@
 <%- if controller_name != 'sessions' %>
    <%= link_to "Log in", new_session_path(resource_name) %><br/>
 <% end -%>
 <%- if devise_mapping.registerable? && controller_name != 'registrations' %>
    <%= link_to "Sign up", new_registration_path(resource_name) %><br/>
 <% end -%>
 <%- if devise_mapping.recoverable? && controller_name != 'passwords' &&
    controller_name != 'registrations' %>
    <%= link_to "Forgot your password?", new_password_path(resource_name) %><br/>
 <% end -%>
 <%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
    <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %>
    <br/>
 <% end -%>
 <%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) &&
    controller_name != 'unlocks' %>
    <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br/>
 <% end -%>
 <%- if devise_mapping.omniauthable? %>
    <%- resource_class.omniauth_providers.each do |provider| %>
        <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}",
                    omniauth_authorize_path(resource_name, provider) %><br/>
    <% end -%>
 <% end -%>
--- a/app/views/admin/sessions/login.haml
+++ b/app/views/admin/sessions/login.haml
@ -1,15 +0,0 @@
 .row
  .form-signin.col-md-6.center-block.text-center
    %h2.form-signin-heading.text-center Eesti Interneti SA
    %hr
    .form-signin
      = form_for(@admin_user, url: admin_sessions_path, method: :create, html: {class: 'form-signin'}) do |f|
        = render 'admin/shared/errors', object: f.object
        - error_class = f.object.errors.any? ? 'has-error' : ''
        %div{class: error_class}
          = f.text_field :username, class: 'form-control', placeholder: t(:username), required: true
          = f.password_field :password, class: 'form-control', 
            autocomplete: 'off', placeholder: t(:password), required: true
        %button.btn.btn-lg.btn-primary.btn-block{:type => 'submit'}= t(:log_in)
--- a/app/views/admin/sessions/new.html.erb
+++ b/app/views/admin/sessions/new.html.erb
@ -0,0 +1,29 @@
 <div class="row">
    <%= form_for resource, as: resource_name, url: session_path(resource_name),
                 html: { class: 'col-md-6 form-signin center-block text-center' } do |f| %>
        <h1 class="form-signin-heading text-center"><%= t '.header_html' %></h1>
        <hr>
        <%= f.label :username, class: 'sr-only' %>
        <%= f.text_field :username, placeholder: AdminUser.human_attribute_name(:username),
                         required: true,
                         autofocus: true,
                         class: 'form-control' %>
        <%= f.label :password, class: 'sr-only' %>
        <%= f.password_field :password, placeholder: AdminUser.human_attribute_name(:password),
                             required: true,
                             class: 'form-control' %>
        <% if devise_mapping.rememberable? -%>
            <div class="checkbox">
                <label><%= f.check_box :remember_me %> <%= t '.remember_checkbox' %> %></label>
            </div>
        <% end -%>
        <%= f.submit t('.sign_in_btn'), class: 'btn btn-lg btn-primary btn-block' %>
    <% end %>
 </div>
 <%= render 'links' %>
--- a/app/views/admin/shared/_errors.haml
+++ b/app/views/admin/shared/_errors.haml
@ -1,5 +0,0 @@
 - if object.errors.any?
  %p.text-danger
    - object.errors.each do |attr, err|
      = err
      %br
--- a/app/views/layouts/admin/base.haml
+++ b/app/views/layouts/admin/base.haml
@ -10,7 +10,7 @@
    = csrf_meta_tags
    = stylesheet_link_tag 'admin-manifest', media: 'all'
    = favicon_link_tag 'favicon.ico'
-  %body{:style => env_style}
+  %body{:style => env_style, class: body_css_class}
    .navbar.navbar-inverse.navbar-static-top{role: "navigation"}
      .container
        .navbar-header
@ -19,7 +19,7 @@
            %span.icon-bar
            %span.icon-bar
            %span.icon-bar
-          = link_to admin_dashboard_path, class: 'navbar-brand' do
+          = link_to admin_root_path, class: 'navbar-brand' do
            = ENV['app_name']
            - if unstable_env.present?
              .text-center
--- a/app/views/layouts/devise.haml
+++ b/app/views/layouts/devise.haml
@ -9,7 +9,7 @@
    = csrf_meta_tags
    = stylesheet_link_tag 'admin-manifest', media: 'all'
    = favicon_link_tag 'favicon.ico'
-  %body{:style => env_style}
+  %body{:style => env_style, class: body_css_class}
    .navbar.navbar-inverse.navbar-static-top{role: "navigation"}
      .container
        .navbar-header
@ -18,7 +18,7 @@
            %span.icon-bar
            %span.icon-bar
            %span.icon-bar
-          = link_to admin_dashboard_path, class: 'navbar-brand' do
+          = link_to new_admin_user_session_path, class: 'navbar-brand' do
            = ENV['app_name']
            - if unstable_env.present?
              .text-center
--- a/app/views/layouts/registrant/application.html.erb
+++ b/app/views/layouts/registrant/application.html.erb
@ -14,7 +14,7 @@
        <%= stylesheet_link_tag 'registrant-manifest', media: 'all' %>
        <%= favicon_link_tag 'favicon.ico' %>
    </head>
-    <body>
+    <body class="<%= body_css_class %>">
        <!-- Fixed navbar
        -->
        <nav class="navbar navbar-default navbar-fixed-top">
@ -37,7 +37,7 @@
                        <% end %>
                    <% end %>
                </div>
-                <% if current_user %>
+                <% if current_registrant_user %>
                    <div class="navbar-collapse collapse">
                        <ul class="nav navbar-nav public-nav">
                            <% if can? :view, Depp::Domain %>
@ -54,9 +54,9 @@
                            <% end %>
                        </ul>
                        <ul class="nav navbar-nav navbar-right">
-                            <% if user_signed_in? %>
+                            <% if registrant_user_signed_in? %>
                                <li>
-                                    <%= link_to t(:log_out, user: current_user), '/registrant/logout' %>
+                                    <%= link_to t(:log_out, user: current_registrant_user), destroy_registrant_user_session_path, method: :delete %>
                                </li>
                            <% end %>
                        </ul>
--- a/app/views/layouts/registrar/base.html.erb
+++ b/app/views/layouts/registrar/base.html.erb
@ -14,7 +14,7 @@
        <%= stylesheet_link_tag 'registrar-manifest', media: 'all' %>
        <%= favicon_link_tag 'favicon.ico' %>
    </head>
-    <body>
+    <body class="<%= body_css_class %>">
        <nav class="navbar navbar-default navbar-fixed-top">
            <div class="container">
                <div class="navbar-header">
@ -24,7 +24,8 @@
                        <span class="icon-bar"></span>
                        <span class="icon-bar"></span>
                    </button>
-                    <%= link_to registrar_root_path, class: 'navbar-brand' do %>
+                    <%= link_to can?(:show, :poll) ? registrar_root_path : registrar_profile_path,
                                class: 'navbar-brand' do %>
                        <%= t(:registrar_head_title) %>
                        <% if unstable_env.present? %>
                            <div class="text-center">
--- a/app/views/layouts/registrar/sessions.html.erb
+++ b/app/views/layouts/registrar/sessions.html.erb
@ -13,12 +13,11 @@
    <%= stylesheet_link_tag 'registrar-manifest', media: 'all' %>
    <%= javascript_include_tag 'registrar-manifest' %>
 </head>
-<body>
+<body class="<%= body_css_class %>">
    <nav class="navbar navbar-default navbar-fixed-top">
        <div class="container">
            <div class="navbar-header">
-                <%= link_to registrar_root_path, class: 'navbar-brand',
+                <%= link_to new_registrar_user_session_path, class: 'navbar-brand' do %>
                            id: 'registrar-home-btn' do %>
                    <%= t(:registrar_head_title) %>
                    <% if unstable_env.present? %>
                        <div class="text-center">
--- a/app/views/registrant/sessions/login.haml
+++ b/app/views/registrant/sessions/login.haml
@ -1,11 +0,0 @@
 .row
  .form-signin.col-md-6.center-block.text-center
    %h2.form-signin-heading.text-center= t(:log_in)
    %hr
    .row
      =t "only_estonian_residets_can_signin"
    %br
    = link_to '/registrant/login/mid' do
      = image_tag 'mid.gif'
    = link_to '/registrant/id', method: :post do
      = image_tag 'id_card.gif'
--- a/app/views/registrant/sessions/login_mid.haml
+++ b/app/views/registrant/sessions/login_mid.haml
@ -1,12 +1,12 @@
 .row
  .form-signin.col-md-4.center-block.text-center
-    %h2.form-signin-heading.text-center= t(:log_in_with_mid)
+    %h2.form-signin-heading.text-center= t '.header'
    %hr
    = form_for @user, url: registrant_mid_path, auto_html5_validation: false, 
      html: {class: 'form-signin'} do |f|
      = f.text_field :phone, class: 'form-control', 
        placeholder: t(:phone_no), autocomplete: 'off', required: true
-      %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t(:log_in)
+      %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t '.submit_btn'
  - if ['development', 'alpha'].include?(Rails.env)
    %div.text-center
--- a/app/views/registrant/sessions/new.html.erb
+++ b/app/views/registrant/sessions/new.html.erb
@ -0,0 +1,18 @@
 <div class="row">
    <div class="form-signin col-md-6 center-block text-center">
        <h2 class="form-signin-heading text-center">
            <%= t '.header' %>
        </h2>
        <hr/>
        <div class="row">
            <%= t '.hint' %>
        </div>
        <br/>
        <%= link_to '/registrant/login/mid' do %>
            <%= image_tag 'mid.gif' %>
        <% end %>
        <%= link_to '/registrant/id', method: :post do %>
            <%= image_tag 'id_card.gif' %>
        <% end %>
    </div>
 </div>
--- a/app/views/registrar/base/_current_user.html.erb
+++ b/app/views/registrar/base/_current_user.html.erb
@ -1,5 +1,5 @@
-<% current_user_presenter = UserPresenter.new(user: current_user, view: self) %>
+<% current_user_presenter = UserPresenter.new(user: current_registrar_user, view: self) %>
 <%= link_to current_user_presenter.login_with_role, registrar_profile_path, id: 'registrar-profile-btn',
            class: 'navbar-link' %>
 <span class="text-muted">|</span>
-<%= link_to t('.sign_out'), registrar_destroy_user_session_path, method: :delete, class: 'navbar-link' %>
+<%= link_to t('.sign_out'), destroy_registrar_user_session_path, method: :delete, class: 'navbar-link' %>
--- a/app/views/registrar/dashboard/show.haml
+++ b/app/views/registrar/dashboard/show.haml
@ -1,3 +0,0 @@
 .panel.panel-default
  .panel-body
    = t('welcome_to_eis_registrar_portal')
--- a/app/views/registrar/invoices/index.haml
+++ b/app/views/registrar/invoices/index.haml
@ -4,8 +4,8 @@
 = render 'shared/title', name: t(:your_account)
 = t(:your_current_account_balance_is,
-  balance: currency(current_user.registrar.cash_account.balance),
+  balance: currency(current_registrar_user.registrar.cash_account.balance),
-  currency: current_user.registrar.cash_account.currency)
+  currency: current_registrar_user.registrar.cash_account.currency)
 %h1= t(:invoices)
 .row
--- a/app/views/registrar/sessions/login.haml
+++ b/app/views/registrar/sessions/login.haml
@ -1,22 +0,0 @@
 .row
  .form-signin.col-md-6.center-block.text-center
    %h2.form-signin-heading.text-center= t(:log_in)
    %hr
    = form_for @depp_user, url: registrar_sessions_path, html: {class: 'form-signin'} do |f|
      = render 'registrar/shared/errors', object: f.object
      - error_class = f.object.errors.any? ? 'has-error' : ''
      %div{class: error_class}
        = f.text_field :tag, class: 'form-control', placeholder: t(:username), required: true
        = f.password_field :password, class: 'form-control',
          autocomplete: 'off', placeholder: t(:password), required: true
      %button.btn.btn-lg.btn-primary.btn-block{:type => 'submit'}= t('.login_btn')
    %hr
    = link_to '/registrar/login/mid', id: 'login-with-mobile-id-btn' do
      = image_tag 'mid.gif'
    = link_to '/registrar/id', method: :post do
      = image_tag 'id_card.gif'
--- a/app/views/registrar/sessions/login_mid.haml
+++ b/app/views/registrar/sessions/login_mid.haml
@ -1,12 +1,12 @@
 .row
  .form-signin.col-md-4.center-block.text-center
-    %h2.form-signin-heading.text-center= t(:log_in_with_mid)
+    %h2.form-signin-heading.text-center= t '.header'
    %hr
    = form_for @user, url: registrar_mid_path, auto_html5_validation: false,
      html: {class: 'form-signin'} do |f|
      = f.text_field :phone, class: 'form-control',
        placeholder: t(:phone_no), autocomplete: 'off', required: true
-      %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t('.login_btn')
+      %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t '.submit_btn'
  - if ['development', 'alpha'].include?(Rails.env)
    %div.text-center
--- a/app/views/registrar/sessions/new.html.erb
+++ b/app/views/registrar/sessions/new.html.erb
@ -0,0 +1,30 @@
 <div class="row">
    <div class="form-signin col-md-6 center-block text-center">
        <h1 class="form-signin-heading text-center"><%= t '.header_html' %></h1>
        <hr>
        <%= form_for resource, as: resource_name, url: session_path(resource_name) do |f| %>
            <%= f.text_field :username, placeholder: ApiUser.human_attribute_name(:username),
                             autofocus: true,
                             required: true,
                             class: 'form-control' %>
            <%= f.password_field :password,
                                 placeholder: ApiUser.human_attribute_name(:password),
                                 required: true,
                                 class: 'form-control' %>
            <%= f.submit t('.submit_btn'), class: 'btn btn-lg btn-primary btn-block' %>
        <% end %>
        <hr>
        <%= link_to '/registrar/login/mid', id: 'login-with-mobile-id-btn' do %>
            <%= image_tag 'mid.gif' %>
        <% end %>
        <%= link_to '/registrar/id', method: :post do %>
            <%= image_tag 'id_card.gif' %>
        <% end %>
    </div>
 </div>
--- a/app/views/registrar/shared/_errors.haml
+++ b/app/views/registrar/shared/_errors.haml
@ -1,5 +0,0 @@
 - if object.errors.any?
  %p.text-danger
    - object.errors.each do |attr, err|
      = err
      %br
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -1,26 +1,31 @@
-require 'devise_custom_failure'
+# frozen_string_literal: true
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
  config.warden do |manager|
    manager.failure_app = DeviseCustomFailure
  end
  # The secret key used by Devise. Devise uses this key to generate
  # random tokens. Changing this key will render invalid all existing
  # confirmation, reset password and unlock tokens in the database.
  # Devise will use the `secret_key_base` as its `secret_key`
  # by default. You can change it below and use your own secret key.
  config.secret_key = ENV['devise_secret']
  # ==> Controller configuration
  # Configure the parent class to the devise controllers.
  # config.parent_controller = 'DeviseController'
  # ==> Mailer Configuration
  # Configure the e-mail address which will be shown in Devise::Mailer,
  # note that it will be overwritten if you use your own mailer class
  # with default "from" parameter.
-  config.mailer_sender = 'noreply@example.com'
+  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
  # Configure the class responsible to send e-mails.
  # config.mailer = 'Devise::Mailer'
  # Configure the parent class responsible to send e-mails.
  # config.parent_mailer = 'ActionMailer::Base'
  # ==> ORM configuration
  # Load and configure the ORM. Supports :active_record (default) and
  # :mongoid (bson_ext recommended) by default. Other ORMs may be
@ -35,7 +40,7 @@ Devise.setup do |config|
  # session. If you need permissions, you should implement that in a before filter.
  # You can also supply a hash where the value is a boolean determining whether
  # or not authentication should be aborted when the value is not present.
-  # config.authentication_keys = [ :email ]
+  # config.authentication_keys = [:email]
  # Configure parameters from the request object used for authentication. Each entry
  # given should be a request method and it will automatically be passed to the
@ -67,7 +72,7 @@ Devise.setup do |config|
  # :database      = Support basic authentication with authentication key + password
  # config.http_authenticatable = false
-  # If http headers should be returned for AJAX requests. True by default.
+  # If 401 status code should be returned for AJAX requests. True by default.
  # config.http_authenticatable_on_xhr = true
  # The realm used in Http Basic Authentication. 'Application' by default.
@ -91,20 +96,31 @@ Devise.setup do |config|
  # from the server. You can disable this option at your own risk.
  # config.clean_up_csrf_token_on_authentication = true
  # When false, Devise will not attempt to reload routes on eager load.
  # This can reduce the time taken to boot the app but if your application
  # requires the Devise mappings to be loaded during boot time the application
  # won't boot properly.
  # config.reload_routes = true
  # ==> Configuration for :database_authenticatable
-  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
+  # For bcrypt, this is the cost for hashing the password and defaults to 11. If
-  # using other encryptors, it sets how many times you want the password re-encrypted.
+  # using other algorithms, it sets how many times you want the password to be hashed.
  #
  # Limiting the stretches to just one in testing will increase the performance of
  # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
  # a value less than 10 in other environments. Note that, for bcrypt (the default
-  # encryptor), the cost increases exponentially with the number of stretches (e.g.
+  # algorithm), the cost increases exponentially with the number of stretches (e.g.
  # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation).
-  config.stretches = Rails.env.test? ? 1 : 10
+  config.stretches = Rails.env.test? ? 1 : 11
-  # Setup a pepper to generate the encrypted password.
+  # Set up a pepper to generate the hashed password.
-  # config.pepper = '4d1b39f778c3ea5b415476ce410f337a27895181a8ccd586c60e50e0f7284' \
+  # config.pepper = '1fc02c7f3a9d5d0dc6c3e49828eb45d29e5fdb3136f78ee0063a2cdf774b7ed53ea40176d5823703554b7f015dd23c0e491fb488bb705a0768db32d02b1d088d'
-  # '3d5d6ded80558ed7a4637de6b3a1504379270af6eee995fd9a329e4f4c5daa33882'
+
  # Send a notification to the original email when the user's email is changed.
  # config.send_email_changed_notification = false
  # Send a notification email when the user's password is changed.
  # config.send_password_change_notification = false
  # ==> Configuration for :confirmable
  # A period that the user is allowed to access the website even without
@ -129,11 +145,11 @@ Devise.setup do |config|
  config.reconfirmable = true
  # Defines which key will be used when confirming an account
-  # config.confirmation_keys = [ :email ]
+  # config.confirmation_keys = [:email]
  # ==> Configuration for :rememberable
  # The time the user will be remembered without asking for credentials again.
-  config.remember_for = 2.weeks
+  # config.remember_for = 2.weeks
  # Invalidates all the remember me tokens when the user signs out.
  config.expire_all_remember_me_on_sign_out = true
@ -152,15 +168,12 @@ Devise.setup do |config|
  # Email regex used to validate email formats. It simply asserts that
  # one (and only one) @ exists in the given string. This is mainly
  # to give user feedback and not to assert the e-mail validity.
-  # config.email_regexp = /\A[^@]+@[^@]+\z/
+  config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
  # ==> Configuration for :timeoutable
  # The time you want to timeout the user session without activity. After this
  # time the user will be asked for credentials again. Default is 30 minutes.
-  config.timeout_in = ENV['user_session_timeout'].to_i.seconds if ENV['user_session_timeout']
+  # config.timeout_in = 30.minutes
  # If true, expires auth token on session timeout.
  # config.expire_auth_token_on_timeout = false
  # ==> Configuration for :lockable
  # Defines which strategy will be used to lock an account.
@ -169,7 +182,7 @@ Devise.setup do |config|
  # config.lock_strategy = :failed_attempts
  # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [ :email ]
+  # config.unlock_keys = [:email]
  # Defines which strategy will be used to unlock an account.
  # :email = Sends an unlock link to the user email
@ -186,24 +199,28 @@ Devise.setup do |config|
  # config.unlock_in = 1.hour
  # Warn on the last attempt before the account is locked.
-  # config.last_attempt_warning = false
+  # config.last_attempt_warning = true
  # ==> Configuration for :recoverable
  #
  # Defines which key will be used when recovering the password for an account
-  # config.reset_password_keys = [ :email ]
+  # config.reset_password_keys = [:email]
  # Time interval you can reset your password with a reset password key.
  # Don't put a too small interval or your users won't have the time to
  # change their passwords.
  config.reset_password_within = 6.hours
  # When set to false, does not sign a user in automatically after their password is
  # reset. Defaults to true, so a user is signed in automatically after a reset.
  # config.sign_in_after_reset_password = true
  # ==> Configuration for :encryptable
-  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
+  # Allow you to use another hashing or encryption algorithm besides bcrypt (default).
-  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
+  # You can use :sha1, :sha512 or algorithms from others authentication tools as
-  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
+  # :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20
-  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
+  # for default behavior) and :restful_authentication_sha1 (then you should set
-  # REST_AUTH_SITE_KEY to pepper).
+  # stretches to 10, and copy REST_AUTH_SITE_KEY to pepper).
  #
  # Require the `devise-encryptable` gem when using anything other than bcrypt
  # config.encryptor = :sha512
@ -220,7 +237,7 @@ Devise.setup do |config|
  # Set this configuration to false if you want /users/sign_out to sign out
  # only the current scope. By default, Devise signs out all scopes.
-  # config.sign_out_all_scopes = true
+  config.sign_out_all_scopes = false
  # ==> Navigation configuration
  # Lists the formats that should be treated as navigational. Formats like
@ -260,8 +277,7 @@ Devise.setup do |config|
  # The router that invoked `devise_for`, in the example above, would be:
  # config.router_name = :my_engine
  #
-  # When using omniauth, Devise cannot automatically set Omniauth path,
+  # When using OmniAuth, Devise cannot automatically set OmniAuth path,
  # so you need to do it manually. For the users scope, it would be:
  # config.omniauth_path_prefix = '/my_engine/users/auth'
 end
--- a/config/locales/admin/base.en.yml
+++ b/config/locales/admin/base.en.yml
@ -0,0 +1,5 @@
 en:
  admin:
    base:
      menu:
        sign_out: Sign out
--- a/config/locales/admin/sessions.en.yml
+++ b/config/locales/admin/sessions.en.yml
@ -0,0 +1,7 @@
 en:
  admin:
    sessions:
      new:
        header_html: Eesti Interneti SA<br>Admin portal
        sign_in_btn: Sign in
        remember_checkbox: Remember me
--- a/config/locales/api_users.en.yml
+++ b/config/locales/api_users.en.yml
@ -0,0 +1,16 @@
 en:
  activerecord:
    attributes:
      api_user:
        plain_text_password: Password
    errors:
      models:
        api_user:
          attributes:
            username:
              blank: 'Username is missing'
              taken: 'Username already exists'
            plain_text_password:
              blank: 'Password is missing'
            registrar:
              blank: 'Registrar is missing'
--- a/config/locales/devise.en.yml
+++ b/config/locales/devise.en.yml
@ -9,12 +9,12 @@ en:
    failure:
      already_authenticated: "You are already signed in."
      inactive: "Your account is not activated yet."
-      invalid: "Invalid email or password."
+      invalid: "Invalid %{authentication_keys} or password."
      locked: "Your account is locked."
      last_attempt: "You have one more attempt before your account is locked."
-      not_found_in_database: "Invalid email address or password."
+      not_found_in_database: "Invalid %{authentication_keys} or password."
      timeout: "Your session expired. Please sign in again to continue."
-      unauthenticated: "You need to sign in."
+      unauthenticated: "You need to sign in before continuing."
      unconfirmed: "You have to confirm your email address before continuing."
    mailer:
      confirmation_instructions:
@ -23,6 +23,10 @@ en:
        subject: "Reset password instructions"
      unlock_instructions:
        subject: "Unlock instructions"
      email_changed:
        subject: "Email Changed"
      password_change:
        subject: "Password Changed"
    omniauth_callbacks:
      failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
      success: "Successfully authenticated from %{kind} account."
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -135,16 +135,6 @@ en:
            registrar:
              blank: 'Registrar is missing'
        api_user:
          attributes:
            username:
              blank: 'Username is missing'
              taken: 'Username already exists'
            password:
              blank: 'Password is missing'
            registrar:
              blank: 'Registrar is missing'
        dnskey:
          attributes:
            alg:
@ -400,7 +390,6 @@ en:
  invoices: 'Invoices'
  no_such_user: 'No such user'
  phone_no: 'Phone number'
  log_in_with_mid: 'Log in with mobile-id'
  confirmation_sms_was_sent_to_your_phone_verification_code_is: 'Confirmation sms was sent to your phone. Verification code is %{code}.'
  user_signature_is_invalid: 'User signature is invalid'
  session_timeout: 'Session timeout'
@ -432,7 +421,6 @@ en:
              blank: "Password can't be blank"
  username: 'Username'
  log_in: 'Log in'
  domains: 'Domains'
  register: 'Register'
  contacts: 'Contacts'
@ -729,7 +717,6 @@ en:
  mail_templates: Mail Templates
  failure: "It was not saved"
  contact_is_not_valid: 'Contact %{value} is not valid, please fix the invalid contact'
  welcome_to_eis_registrar_portal: 'Welcome to EIS Registrar portal'
  next: 'Next'
  previous: 'Previous'
  personal_domain_verification_url: 'Personal domain verification url'
@ -741,7 +728,6 @@ en:
  test_registrar: "Test registrar"
  verified_confirm: 'Verified status is for cases when current registrant is the one applying for the update. Legal document signed by the registrant is required. Are you sure this update is properly verified with the registrant?'
  verified: 'Verified'
  only_estonian_residets_can_signin: "Access currently available only to Estonian citizens and e-residents with Estonian ID-card or Mobile-ID."
  deleted: 'Deleted'
  cant_match_version: 'Impossible match version with request'
  user_not_authenticated: "user not authenticated"
--- a/config/locales/et.yml
+++ b/config/locales/et.yml
@ -1,7 +1,6 @@
 et:
  username: 'Kasutajanimi'
  password: 'Parool'
  log_in: 'Logi sisse'
  date:
    # Don't forget the nil at the beginning; there's no such thing as a 0th month
--- a/config/locales/registrant/sessions.en.yml
+++ b/config/locales/registrant/sessions.en.yml
@ -0,0 +1,12 @@
 en:
  registrant:
    sessions:
      new:
        header: Log in
        hint:  >-
          Access currently available only to Estonian citizens and e-residents with Estonian ID-card
          or Mobile-ID.
      login_mid:
        header: Log in with mobile-id
        submit_btn: Login
--- a/config/locales/registrar/sessions.en.yml
+++ b/config/locales/registrar/sessions.en.yml
@ -1,7 +1,9 @@
 en:
  registrar:
    sessions:
-      login:
+      new:
-        login_btn: Login
+        header_html: Eesti Interneti SA<br>Registrar Portal
        submit_btn: Login
      login_mid:
-        login_btn: Login
+        header: Log in with mobile-id
        submit_btn: Login
--- a/config/routes.rb
+++ b/config/routes.rb
@ -31,8 +31,17 @@ Rails.application.routes.draw do
  # REGISTRAR ROUTES
  namespace :registrar do
-    resource :dashboard
+    root 'polls#show'
-    root 'dashboard#show'
+
    devise_for :users, path: '', class_name: 'ApiUser', skip: %i[sessions]
    devise_scope :registrar_user do
      get 'login/mid' => 'sessions#login_mid'
      post 'login/mid' => 'sessions#mid'
      post 'login/mid_status' => 'sessions#mid_status'
      post 'id' => 'sessions#id'
      post 'mid' => 'sessions#mid'
    end
    resources :invoices do
      member do
@ -45,18 +54,6 @@ Rails.application.routes.draw do
    resources :deposits
    resources :account_activities
    devise_scope :user do
      get 'login' => 'sessions#login'
      get 'login/mid' => 'sessions#login_mid'
      post 'login/mid' => 'sessions#mid'
      post 'login/mid_status' => 'sessions#mid_status'
      post 'sessions' => 'sessions#create'
      post 'id' => 'sessions#id'
      post 'mid' => 'sessions#mid'
      delete 'logout', to: '/devise/sessions#destroy', as: :destroy_user_session
    end
    put 'current_user/switch/:new_user_id', to: 'current_user#switch', as: :switch_current_user
    resource :profile, controller: :profile, only: :show
@ -87,7 +84,7 @@ Rails.application.routes.draw do
      end
    end
-    resource :poll do
+    resource :poll, only: %i[show destroy] do
      collection do
        post 'confirm_keyrelay'
        post 'confirm_transfer'
@ -109,9 +106,33 @@ Rails.application.routes.draw do
    get  'pay/go/:bank'           => 'payments#pay',   as: 'payment_with'
  end
  scope :registrar do
    devise_scope :registrar_user do
      get 'sign_in', to: 'registrar/sessions#new', as: :new_registrar_user_session
      # /registrar/sessions path is hardcoded in Apache config for certificate-based authentication
      # See https://github.com/internetee/registry/blob/master/README.md#installation
      # Client certificate is asked only on login form submission, therefore the path must be
      # different from the one in `new_registrar_user_session` route
      post 'sessions', to: 'registrar/sessions#create', as: :registrar_user_session
      delete 'sign_out', to: 'registrar/sessions#destroy', as: :destroy_registrar_user_session
    end
  end
  namespace :registrant do
    root 'domains#index'
    # POST /registrant/sign_in is not used
    devise_for :users, path: '', class_name: 'RegistrantUser'
    devise_scope :registrant_user do
      get 'login/mid' => 'sessions#login_mid'
      post 'login/mid' => 'sessions#mid'
      post 'login/mid_status' => 'sessions#mid_status'
      post 'mid' => 'sessions#mid'
      post 'id' => 'sessions#id'
    end
    resources :registrars, only: :show
    resources :contacts, only: :show
    resources :domains, only: %i[index show] do
@ -126,22 +147,13 @@ Rails.application.routes.draw do
    resources :domain_update_confirms, only: %i[show update]
    resources :domain_delete_confirms, only: %i[show update]
    devise_scope :user do
      get 'login' => 'sessions#login'
      get 'login/mid' => 'sessions#login_mid'
      post 'login/mid' => 'sessions#mid'
      post 'login/mid_status' => 'sessions#mid_status'
      post 'sessions' => 'sessions#create'
      post 'mid' => 'sessions#mid'
      post 'id' => 'sessions#id'
      get 'logout' => '/devise/sessions#destroy'
    end
  end
  # ADMIN ROUTES
  namespace :admin do
    root 'dashboard#show'
    devise_for :users, path: '', class_name: 'AdminUser'
    resources :keyrelays
    resources :zonefiles
    resources :zones, controller: 'dns/zones', except: %i[show destroy]
@ -243,26 +255,14 @@ Rails.application.routes.draw do
    end
    resources :delayed_jobs
    resource :dashboard
    resources :epp_logs
    resources :repp_logs
-    devise_scope :user do
+    authenticate :admin_user do
      get 'login' => 'sessions#login'
      post 'sessions' => 'sessions#create'
      get 'logout' => '/devise/sessions#destroy'
    end
    authenticate :user do
      mount Que::Web, at: 'que'
    end
    root 'dashboards#show'
  end
-  devise_for :users
+  # To prevent users seeing the default welcome message "Welcome aboard" from Rails
-
+  root to: redirect('admin/sign_in')
-  root to: redirect('admin/login')
+end
 end
--- a/db/migrate/20180713154915_rename_users_password_to_plain_text_password.rb
+++ b/db/migrate/20180713154915_rename_users_password_to_plain_text_password.rb
@ -0,0 +1,5 @@
 class RenameUsersPasswordToPlainTextPassword < ActiveRecord::Migration
  def change
    rename_column :users, :password, :plain_text_password
  end
 end
--- a/db/structure.sql
+++ b/db/structure.sql
@ -2282,7 +2282,7 @@ ALTER SEQUENCE public.settings_id_seq OWNED BY public.settings.id;
 CREATE TABLE public.users (
    id integer NOT NULL,
    username character varying,
-    password character varying,
+    plain_text_password character varying,
    created_at timestamp without time zone,
    updated_at timestamp without time zone,
    email character varying,
@ -4759,3 +4759,5 @@ INSERT INTO schema_migrations (version) VALUES ('20180613030330');
 INSERT INTO schema_migrations (version) VALUES ('20180613045614');
 INSERT INTO schema_migrations (version) VALUES ('20180713154915');
--- a/doc/controllers_complete.svg
+++ b/doc/controllers_complete.svg
@ -433,14 +433,6 @@
 <path fill="none" stroke="black" d="M-467.5,-480.5C-467.5,-480.5 -344.5,-480.5 -344.5,-480.5 -338.5,-480.5 -332.5,-486.5 -332.5,-492.5 -332.5,-492.5 -332.5,-681.5 -332.5,-681.5 -332.5,-687.5 -338.5,-693.5 -344.5,-693.5 -344.5,-693.5 -467.5,-693.5 -467.5,-693.5 -473.5,-693.5 -479.5,-687.5 -479.5,-681.5 -479.5,-681.5 -479.5,-492.5 -479.5,-492.5 -479.5,-486.5 -473.5,-480.5 -467.5,-480.5"/>
 <text text-anchor="middle" x="-406" y="-678.3" font-family="Times,serif" font-size="14.00">ApplicationController</text>
 <polyline fill="none" stroke="black" points="-479.5,-670.5 -332.5,-670.5 "/>
 <text text-anchor="start" x="-471.5" y="-655.3" font-family="Times,serif" font-size="14.00">admin_request?</text>
 <text text-anchor="start" x="-471.5" y="-640.3" font-family="Times,serif" font-size="14.00">after_sign_in_path_for</text>
 <text text-anchor="start" x="-471.5" y="-625.3" font-family="Times,serif" font-size="14.00">after_sign_out_path_for</text>
 <text text-anchor="start" x="-471.5" y="-610.3" font-family="Times,serif" font-size="14.00">api_user_log_str</text>
 <text text-anchor="start" x="-471.5" y="-595.3" font-family="Times,serif" font-size="14.00">current_root_url</text>
 <text text-anchor="start" x="-471.5" y="-565.3" font-family="Times,serif" font-size="14.00">registrant_request?</text>
 <text text-anchor="start" x="-471.5" y="-550.3" font-family="Times,serif" font-size="14.00">registrar_request?</text>
 <text text-anchor="start" x="-471.5" y="-535.3" font-family="Times,serif" font-size="14.00">user_for_paper_trail</text>
 <polyline fill="none" stroke="black" points="-479.5,-527.5 -332.5,-527.5 "/>
 <polyline fill="none" stroke="black" points="-479.5,-503.5 -332.5,-503.5 "/>
 <text text-anchor="start" x="-471.5" y="-488.3" font-family="Times,serif" font-size="14.00">_layout</text>
--- a/doc/registrant-api/v1/authentication.md
+++ b/doc/registrant-api/v1/authentication.md
@ -38,7 +38,7 @@ Content-type: application/json
 #### Response
 ```
 HTTP/1.1 201
-Content-Type: application.json
+Content-Type: application/json
 {
@ -70,7 +70,7 @@ Content-type: application/json
 #### Response
 ```
 HTTP/1.1 201
-Content-Type: application.json
+Content-Type: application/json
 {
--- a/doc/registrant-api/v1/contact.md
+++ b/doc/registrant-api/v1/contact.md
@ -148,7 +148,7 @@ Content-type: application/json
 ```
 HTTP/1.1 200
-Content-Type: application.json
+Content-Type: application/json
 {
  "uuid": "84c62f3d-e56f-40fa-9ca4-dc0137778949",
@ -184,7 +184,7 @@ Content-Type: application.json
 ### Response on failure
 ```
 HTTP/1.1 400
-Content-Type: application.json
+Content-Type: application/json
 {
  "errors": [
--- a/lib/devise_custom_failure.rb
+++ b/lib/devise_custom_failure.rb
@ -1,18 +0,0 @@
 class DeviseCustomFailure < Devise::FailureApp
  def redirect_url
    return registrant_login_url if request.original_fullpath.to_s.match(%r{^\/registrant})
    return registrar_login_url  if request.original_fullpath.to_s.match(%r{^\/registrar})
    return '/admin'             if request.original_fullpath.to_s.match(%r{^\/admin\/que})
    return admin_login_url      if request.original_fullpath.to_s.match(%r{^\/admin})
    root_url
  end
  # You need to override respond to eliminate recall
  def respond
    if http_auth?
      http_auth
    else
      redirect
    end
  end
 end
--- a/lib/tasks/import.rake
+++ b/lib/tasks/import.rake
@ -145,7 +145,7 @@ namespace :import do
          if y.try(:cert) == 'idkaart'
            id_users << ApiUser.new({
              username: y.try(:password) ? y.try(:password) : y.try(:password),
-              password: ('a'..'z').to_a.shuffle.first(8).join,
+              plain_text_password: ('a'..'z').to_a.shuffle.first(8).join,
              identity_code: y.try(:password) ? y.try(:password) : y.try(:password),
              registrar_id: Registrar.find_by(legacy_id: x.try(:id)).try(:id),
              roles: ['billing'],
@ -154,7 +154,7 @@ namespace :import do
          else
            temp << ApiUser.new({
              username: x.handle.try(:strip),
-              password: y.try(:password) ? y.try(:password) : ('a'..'z').to_a.shuffle.first(8).join,
+              plain_text_password: y.try(:password) ? y.try(:password) : ('a'..'z').to_a.shuffle.first(8).join,
              registrar_id: Registrar.find_by(legacy_id: x.try(:id)).try(:id),
              roles: ['epp'],
              legacy_id: y.try(:id)
--- a/spec/api/repp/contact_v1_spec.rb
+++ b/spec/api/repp/contact_v1_spec.rb
@ -45,6 +45,6 @@ RSpec.describe Repp::ContactV1, db: true do
  end
  def http_auth_key
-    ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
+    ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.plain_text_password)
  end
 end
--- a/spec/factories/api_user.rb
+++ b/spec/factories/api_user.rb
@ -1,7 +1,7 @@
 FactoryBot.define do
  factory :api_user do
    sequence(:username) { |n| "test#{n}" }
-    password 'a' * ApiUser.min_password_length
+    plain_text_password 'a' * ApiUser.min_password_length
    roles ['super']
    registrar
--- a/spec/features/registrar/home_link_spec.rb
+++ b/spec/features/registrar/home_link_spec.rb
@ -1,8 +0,0 @@
 require 'rails_helper'
 RSpec.feature 'Registrar area home link', db: true do
  scenario 'is visible' do
    visit registrar_login_url
    expect(page).to have_link('registrar-home-btn', href: registrar_root_path)
  end
 end
--- a/spec/features/registrar/sign_in/password_spec.rb
+++ b/spec/features/registrar/sign_in/password_spec.rb
@ -1,39 +0,0 @@
 require 'rails_helper'
 RSpec.feature 'Registrar area password sign-in' do
  scenario 'signs in the user with valid credentials' do
    create(:api_user_with_unlimited_balance,
           active: true,
           login: 'test',
           password: 'testtest')
    visit registrar_login_path
    sign_in_with 'test', 'testtest'
    expect(page).to have_text(t('registrar.base.current_user.sign_out'))
  end
  scenario 'notifies the user with invalid credentials' do
    create(:api_user, login: 'test', password: 'testtest')
    visit registrar_login_path
    sign_in_with 'test', 'invalid'
    expect(page).to have_text('No such user')
  end
  scenario 'notifies the user with inactive account' do
    create(:api_user, active: false, login: 'test', password: 'testtest')
    visit registrar_login_path
    sign_in_with 'test', 'testtest'
    expect(page).to have_text('User is not active')
  end
  def sign_in_with(username, password)
    fill_in 'depp_user_tag', with: username
    fill_in 'depp_user_password', with: password
    click_button 'Login'
  end
 end
--- a/spec/features/registrar/sign_out_spec.rb
+++ b/spec/features/registrar/sign_out_spec.rb
@ -1,14 +0,0 @@
 require 'rails_helper'
 RSpec.feature 'Registrar area sign-out', settings: false do
  background do
    sign_in_to_registrar_area(user: create(:api_user_with_unlimited_balance))
  end
  scenario 'signs the user out' do
    visit registrar_root_path
    click_on t('registrar.base.current_user.sign_out')
    expect(page).to have_text('Signed out successfully.')
  end
 end
--- a/spec/requests/registrar/ip_restriction_spec.rb
+++ b/spec/requests/registrar/ip_restriction_spec.rb
@ -2,11 +2,11 @@ require 'rails_helper'
 RSpec.describe 'Registrar area IP restriction', settings: false do
  before do
-    @original_registrar_ip_whitelist_enabled = Setting.registrar_ip_whitelist_enabled
+    @original_registrar_ip_whitelist_enabled_setting = Setting.registrar_ip_whitelist_enabled
  end
  after do
-    Setting.registrar_ip_whitelist_enabled = @original_registrar_ip_whitelist_enabled
+    Setting.registrar_ip_whitelist_enabled = @original_registrar_ip_whitelist_enabled_setting
  end
  context 'when authenticated' do
@ -22,12 +22,11 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
      context 'when ip is allowed' do
        let!(:white_ip) { create(:white_ip,
                                 ipv4: '127.0.0.1',
-                                 registrar: controller.current_user.registrar,
+                                 registrar: controller.current_registrar_user.registrar,
                                 interfaces: [WhiteIp::REGISTRAR]) }
        specify do
          get registrar_root_url
          follow_redirect!
          expect(response).to be_success
        end
      end
@ -35,13 +34,12 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
      context 'when ip is not allowed' do
        it 'signs the user out' do
          get registrar_root_url
-          follow_redirect!
+          expect(controller.current_registrar_user).to be_nil
          expect(controller.current_user).to be_nil
        end
        it 'redirects to login url' do
          get registrar_root_url
-          expect(response).to redirect_to(registrar_login_url)
+          expect(response).to redirect_to(new_registrar_user_session_url)
        end
      end
    end
@ -49,7 +47,6 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
    context 'when IP restriction is disabled' do
      specify do
        get registrar_root_url
        follow_redirect!
        expect(response).to be_success
      end
    end
@ -67,14 +64,14 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
                                 interfaces: [WhiteIp::REGISTRAR]) }
        specify do
-          get registrar_login_path
+          get new_registrar_user_session_path
          expect(response).to be_success
        end
      end
      context 'when ip is not allowed' do
        specify do
-          get registrar_login_path
+          get new_registrar_user_session_path
          expect(response.body).to match "Access denied"
        end
      end
@ -82,7 +79,7 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
    context 'when IP restriction is disabled' do
      specify do
-        get registrar_login_path
+        get new_registrar_user_session_path
        expect(response).to be_success
      end
    end
--- a/spec/requests/registrar/linked_users_spec.rb
+++ b/spec/requests/registrar/linked_users_spec.rb
@ -6,7 +6,7 @@ RSpec.describe 'Registrar area linked users', db: false do
      let!(:current_user) { create(:api_user, id: 1, identity_code: 'code') }
      before do
-        sign_in_to_registrar_area(user: current_user)
+        sign_in current_user
      end
      context 'when ip is allowed' do
@ -23,7 +23,7 @@ RSpec.describe 'Registrar area linked users', db: false do
          it 'signs in as a new user' do
            put '/registrar/current_user/switch/2', nil, { HTTP_REFERER: registrar_contacts_url }
            follow_redirect!
-            expect(controller.current_user.id).to eq(2)
+            expect(controller.current_registrar_user.id).to eq(2)
          end
          it 'redirects back' do
@ -40,15 +40,6 @@ RSpec.describe 'Registrar area linked users', db: false do
              put '/registrar/current_user/switch/2', nil, { HTTP_REFERER: registrar_contacts_path }
            end.to raise_error('Cannot switch to unlinked user')
          end
          it 'does not sign in as a new user' do
            suppress StandardError do
              put '/registrar/current_user/switch/2', nil, { HTTP_REFERER: registrar_contacts_path }
            end
            follow_redirect!
            expect(controller.current_user.id).to eq(1)
          end
        end
      end
@ -62,7 +53,7 @@ RSpec.describe 'Registrar area linked users', db: false do
        specify do
          put '/registrar/current_user/switch/2'
-          expect(response).to redirect_to(registrar_login_url)
+          expect(response).to redirect_to(new_registrar_user_session_url)
        end
      end
    end
@ -70,7 +61,7 @@ RSpec.describe 'Registrar area linked users', db: false do
    context 'when user is not authenticated' do
      specify do
        put '/registrar/current_user/switch/2'
-        expect(response).to redirect_to(registrar_login_url)
+        expect(response).to redirect_to(new_registrar_user_session_url)
      end
    end
  end
--- a/spec/requests/registrar/sign_in/password_spec.rb
+++ b/spec/requests/registrar/sign_in/password_spec.rb
@ -1,16 +0,0 @@
 require 'rails_helper'
 RSpec.describe 'Registrar area password sign-in', settings: false do
  let!(:user) { create(:api_user, active: true, login: 'test', password: 'testtest') }
  it 'signs the user in' do
    post registrar_sessions_path, depp_user: { tag: 'test', password: 'testtest' }
    follow_redirect!
    expect(controller.current_user).to eq(user)
  end
  it 'redirects to root url' do
    post registrar_sessions_path, depp_user: { tag: 'test', password: 'testtest' }
    expect(response).to redirect_to(registrar_root_url)
  end
 end
--- a/spec/requests/registrar/sign_out_spec.rb
+++ b/spec/requests/registrar/sign_out_spec.rb
@ -1,18 +0,0 @@
 require 'rails_helper'
 RSpec.describe 'Registrar area sign-out', settings: false do
  before do
    sign_in_to_registrar_area
  end
  it 'signs the user out' do
    delete registrar_destroy_user_session_path
    follow_redirect!
    expect(controller.current_user).to be_nil
  end
  it 'redirects to login url' do
    delete registrar_destroy_user_session_path
    expect(response).to redirect_to(registrar_login_url)
  end
 end
--- a/spec/routing/registrar/domains_routing_spec.rb
+++ b/spec/routing/registrar/domains_routing_spec.rb
@ -1,9 +0,0 @@
 require 'rails_helper'
 RSpec.describe Registrar::DomainsController do
  describe 'routing' do
    it 'routes to #index' do
      expect(get: '/registrar/domains').to route_to('registrar/domains#index')
    end
  end
 end
--- a/spec/routing/registrar/sessions_routing_spec.rb
+++ b/spec/routing/registrar/sessions_routing_spec.rb
@ -1,9 +0,0 @@
 require 'rails_helper'
 RSpec.describe Registrar::SessionsController do
  describe 'routing' do
    it 'routes to #login' do
      expect(get: '/registrar/login').to route_to('registrar/sessions#login')
    end
  end
 end
--- a/spec/support/features/session_helpers.rb
+++ b/spec/support/features/session_helpers.rb
@ -1,19 +1,19 @@
 module Features
  module SessionHelpers
    def sign_in_to_admin_area(user: create(:admin_user))
-      visit admin_login_url
+      visit new_admin_user_session_url
      fill_in 'admin_user[username]', with: user.username
      fill_in 'admin_user[password]', with: user.password
-      click_button 'Log in'
+      click_button 'Sign in'
    end
    def sign_in_to_registrar_area(user: create(:api_user))
-      visit registrar_login_url
+      visit new_registrar_user_session_url
-      fill_in 'depp_user_tag', with: user.username
+      fill_in 'registrar_user_username', with: user.username
-      fill_in 'depp_user_password', with: user.password
+      fill_in 'registrar_user_password', with: user.plain_text_password
      click_button 'Login'
    end
--- a/spec/support/requests/session_helpers.rb
+++ b/spec/support/requests/session_helpers.rb
@ -1,11 +1,11 @@
 module Requests
  module SessionHelpers
    def sign_in_to_admin_area(user: create(:admin_user))
-      post admin_sessions_path, admin_user: { username: user.username, password: user.password }
+      post admin_user_session_path, admin_user: { username: user.username, password: user.password }
    end
    def sign_in_to_registrar_area(user: create(:api_user))
-      post registrar_sessions_path, { depp_user: { tag: user.username, password: user.password } }
+      post registrar_user_session_path, { registrar_user: { username: user.username, password: user.plain_text_password } }
    end
  end
-end
+end
--- a/test/fixtures/contacts.yml
+++ b/test/fixtures/contacts.yml
@ -14,7 +14,7 @@ william: &william
  name: William
  email: william@inbox.test
  phone: '+555.555'
-  fax: +555.555
+  fax: '+666.6'
  ident: 1234
  ident_type: priv
  ident_country_code: US
--- a/test/fixtures/registrars.yml
+++ b/test/fixtures/registrars.yml
@ -40,13 +40,4 @@ complete:
  accounting_customer_code: US0001
  language: en
  vat_no: US12345
-  vat_rate: 0.05
+  vat_rate: 0.05
 not_in_use:
  name: any
  reg_no: any
  code: any
  email: any@example.com
  country_code: US
  accounting_customer_code: any
  language: en
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@ -1,6 +1,6 @@
 api_bestnames:
  username: test_bestnames
-  password: testtest
+  plain_text_password: testtest
  type: ApiUser
  registrar: bestnames
  active: true
@ -9,7 +9,7 @@ api_bestnames:
 api_goodnames:
  username: test_goodnames
-  password: testtest
+  plain_text_password: testtest
  type: ApiUser
  registrar: goodnames
  active: true
@ -18,6 +18,7 @@ api_goodnames:
 admin:
  username: test
  encrypted_password: <%= Devise::Encryptor.digest(AdminUser, 'testtest') %>
  type: AdminUser
  country_code: US
  roles:
--- a/test/integration/epp/login/password_change_test.rb
+++ b/test/integration/epp/login/password_change_test.rb
@ -0,0 +1,33 @@
 require 'test_helper'
 class EppLoginPasswordChangeTest < ActionDispatch::IntegrationTest
  def test_password_change
    request_xml = <<-XML
      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
        <command>
          <login>
            <clID>test_bestnames</clID>
            <pw>testtest</pw>
            <newPW>new-password</newPW>
            <options>
              <version>1.0</version>
              <lang>en</lang>
            </options>
            <svcs>
              <objURI>https://epp.tld.ee/schema/domain-eis-1.0.xsd</objURI>
              <objURI>https://epp.tld.ee/schema/contact-ee-1.1.xsd</objURI>
              <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
              <objURI>urn:ietf:params:xml:ns:keyrelay-1.0</objURI>
            </svcs>
          </login>
        </command>
      </epp>
    XML
    post '/epp/session/login', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=new_session_id' }
    assert_equal 'new-password', users(:api_bestnames).plain_text_password
    assert_equal '1000', Nokogiri::XML(response.body).at_css('result')[:code]
    assert_equal 1, Nokogiri::XML(response.body).css('result').size
  end
 end
--- a/test/system/admin_area/api_users/new_test.rb
+++ b/test/system/admin_area/api_users/new_test.rb
@ -0,0 +1,25 @@
 require 'test_helper'
 class AdminAreaNewApiUserTest < ApplicationSystemTestCase
  setup do
    sign_in users(:admin)
  end
  def test_new_api_user_creation_with_required_params
    visit admin_api_users_url
    click_link_or_button 'New API user'
    fill_in 'Username', with: 'newtest'
    fill_in 'Password', with: 'testtest'
    find('#api_user_registrar_id', visible: false).set(registrars(:bestnames).id)
    assert_difference 'ApiUser.count' do
      click_link_or_button 'Save'
    end
    assert_current_path admin_api_user_path(ApiUser.last)
    assert_text 'Record created'
    assert_text 'Username newtest'
    assert_text 'Password testtest'
  end
 end
--- a/test/system/admin_area/protected_area_test.rb
+++ b/test/system/admin_area/protected_area_test.rb
@ -0,0 +1,22 @@
 require 'test_helper'
 class AdminAreaProtectedAreaTest < ApplicationSystemTestCase
  def test_anonymous_user_is_asked_to_authenticate_when_navigating_to_protected_area
    visit admin_domains_url
    assert_text 'You need to sign in before continuing'
    assert_current_path new_admin_user_session_path
  end
  def test_authenticated_user_can_access_protected_area
    sign_in users(:admin)
    visit admin_domains_url
    assert_current_path admin_domains_path
  end
  def test_authenticated_user_is_not_asked_to_authenticate_again
    sign_in users(:admin)
    visit new_admin_user_session_url
    assert_text 'You are already signed in'
    assert_current_path admin_domains_path
  end
 end
--- a/test/system/admin_area/sign_in_test.rb
+++ b/test/system/admin_area/sign_in_test.rb
@ -0,0 +1,44 @@
 require 'test_helper'
 class AdminAreaSignInTest < ApplicationSystemTestCase
  setup do
    @user = users(:admin)
  end
  def test_correct_username_and_password
    visit new_admin_user_session_url
    fill_in 'admin_user_username', with: @user.username
    fill_in 'admin_user_password', with: 'testtest'
    click_button 'Sign in'
    assert_text 'Signed in successfully'
    assert_current_path admin_domains_path
  end
  def test_wrong_password
    visit new_admin_user_session_url
    fill_in 'admin_user_username', with: @user.username
    fill_in 'admin_user_password', with: 'wrong'
    click_button 'Sign in'
    assert_text 'Invalid Username or password'
    assert_current_path new_admin_user_session_path
  end
  def test_retry_with_correct_username_and_password
    visit new_admin_user_session_url
    fill_in 'admin_user_username', with: @user.username
    fill_in 'admin_user_password', with: 'wrong'
    click_button 'Sign in'
    assert_text 'Invalid Username or password'
    assert_current_path new_admin_user_session_path
    fill_in 'admin_user_username', with: @user.username
    fill_in 'admin_user_password', with: 'testtest'
    click_button 'Sign in'
    assert_text 'Signed in successfully'
    assert_current_path admin_domains_path
  end
 end
--- a/test/system/admin_area/sign_out_test.rb
+++ b/test/system/admin_area/sign_out_test.rb
@ -0,0 +1,15 @@
 require 'test_helper'
 class AdminAreaSignOutTest < ApplicationSystemTestCase
  setup do
    sign_in users(:admin)
  end
  def test_logout
    visit admin_root_url
    click_on 'Sign out'
    assert_text 'Signed out successfully'
    assert_current_path new_admin_user_session_path
  end
 end
--- a/Show more
+++ b/Show more