Refactor Devise integration

- Use scoped users
- Use the named route helpers instead of hardcoded paths

app/controllers/admin/base_controller.rb

@@ -1,10 +1,20 @@
 module Admin
   class BaseController < ApplicationController
-    before_action :authenticate_user!
+    before_action :authenticate_admin_user!
     helper_method :head_title_sufix
 
     def head_title_sufix
       t(:admin_head_title_sufix)
     end
+
+    private
+
+    def current_ability
+      @current_ability ||= Ability.new(current_admin_user)
+    end
+
+    def user_for_paper_trail
+      current_admin_user.present? ? current_admin_user.id_role_username : 'public'
+    end
   end
 end

app/controllers/admin/pending_deletes_controller.rb

@@ -6,7 +6,7 @@ module Admin
     def update
       authorize! :update, :pending
 
-      if registrant_verification.domain_registrant_delete_confirm!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_delete_confirm!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_applied)
       else
         redirect_to admin_domain_path(@domain.id), alert: t(:failure)
@@ -16,7 +16,7 @@ module Admin
     def destroy
       authorize! :destroy, :pending
 
-      if registrant_verification.domain_registrant_delete_reject!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_delete_reject!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_removed)
       else
         redirect_to admin_domain_path(@domain.id), alert: t(:failure)

app/controllers/admin/pending_updates_controller.rb

@@ -6,7 +6,7 @@ module Admin
     def update
       authorize! :update, :pending
 
-      if registrant_verification.domain_registrant_change_confirm!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_change_confirm!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_applied)
       else
         redirect_to edit_admin_domain_path(@domain.id), alert: t(:failure)
@@ -15,7 +15,7 @@ module Admin
 
     def destroy
       authorize! :destroy, :pending
-      if registrant_verification.domain_registrant_change_reject!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_change_reject!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_removed)
       else
         redirect_to admin_domain_path(@domain.id), alert: t(:failure)

app/controllers/admin/sessions_controller.rb

@@ -1,8 +1,6 @@
 module Admin
   class SessionsController < Devise::SessionsController
-    skip_authorization_check only: :create
+    def new
-
-    def login
       @admin_user = AdminUser.new
     end
 
@@ -10,19 +8,28 @@ module Admin
       if params[:admin_user].blank?
         @admin_user = AdminUser.new
         flash[:alert] = 'Something went wrong'
-        return render 'login'
+        return render :new
       end
 
       @admin_user = AdminUser.find_by(username: params[:admin_user][:username])
       @admin_user ||= AdminUser.new(username: params[:admin_user][:username])
 
       if @admin_user.valid_password?(params[:admin_user][:password])
-        sign_in @admin_user, event: :authentication
+        sign_in_and_redirect(:admin_user, @admin_user, event: :authentication)
-        redirect_to admin_root_url, notice: I18n.t(:welcome)
       else
         flash[:alert] = 'Authorization error'
-        render 'login'
+        render :new
       end
     end
+
+    private
+
+    def after_sign_in_path_for(resource_or_scope)
+      admin_root_path
+    end
+
+    def after_sign_out_path_for(resource_or_scope)
+      new_admin_user_session_path
+    end
   end
 end

app/controllers/application_controller.rb

@@ -12,63 +12,15 @@ class ApplicationController < ActionController::Base
   end
 
   rescue_from CanCan::AccessDenied do |exception|
-    redirect_to current_root_url, alert: exception.message
+    redirect_to root_url, alert: exception.message
   end
 
-  helper_method :registrant_request?, :registrar_request?, :admin_request?, :current_root_url
   helper_method :available_languages
 
-  def registrant_request?
-    request.path.match(/^\/registrant/)
-  end
-
-  def registrar_request?
-    request.path.match(/^\/registrar/)
-  end
-
-  def admin_request?
-    request.path.match(/^\/admin/)
-  end
-
-  def current_root_url
-    if registrar_request?
-      registrar_root_url
-    elsif registrant_request?
-      registrant_login_url
-    elsif admin_request?
-      admin_root_url
-    end
-  end
-
-  def after_sign_in_path_for(_resource)
-    rt = session[:user_return_to].to_s.presence
-    login_paths = [admin_login_path, registrar_login_path, '/login']
-    return rt if rt && !login_paths.include?(rt)
-    current_root_url
-  end
-
-  def after_sign_out_path_for(_resource)
-    if registrar_request?
-      registrar_login_url
-    elsif registrant_request?
-      registrant_login_url
-    elsif admin_request?
-      admin_login_url
-    end
-  end
-
   def info_for_paper_trail
     { uuid: request.uuid }
   end
 
-  def user_for_paper_trail
-    user_log_str(current_user)
-  end
-
-  def user_log_str(user)
-    user.nil? ? 'public' : user.id_role_username
-  end
-
   def comma_support_for(parent_key, key)
     return if params[parent_key].blank?
     return if params[parent_key][key].blank?
@@ -80,4 +32,8 @@ class ApplicationController < ActionController::Base
   def available_languages
     { en: 'English', et: 'Estonian' }.invert
   end
+
+  def user_for_paper_trail
+    current_user.present? ? current_user.id_role_username : 'public'
+  end
 end

app/controllers/registrant/contacts_controller.rb

@@ -2,7 +2,6 @@ class Registrant::ContactsController < RegistrantController
   helper_method :domain_ids
   def show
     @contact      = Contact.where(id: contacts).find_by(id: params[:id])
-    @current_user = current_user
 
     authorize! :read, @contact
   end
@@ -19,7 +18,7 @@ class Registrant::ContactsController < RegistrantController
 
   def domain_ids
     @domain_ids ||= begin
-      ident_cc, ident = @current_user.registrant_ident.to_s.split '-'
+      ident_cc, ident = current_registrant_user.registrant_ident.to_s.split '-'
       BusinessRegistryCache.fetch_by_ident_and_cc(ident, ident_cc).associated_domain_ids
     end
   end

app/controllers/registrant/domain_delete_confirms_controller.rb

@@ -19,7 +19,7 @@ class Registrant::DomainDeleteConfirmsController < RegistrantController
                                                           domain_name: @domain.name,
                                                           verification_token: params[:token])
 
-    initiator = current_user ? current_user.username : t(:user_not_authenticated)
+    initiator = current_registrant_user ? current_registrant_user.username : t(:user_not_authenticated)
 
     if params[:rejected]
       if @registrant_verification.domain_registrant_delete_reject!("email link #{initiator}")

app/controllers/registrant/domain_update_confirms_controller.rb

@@ -19,7 +19,7 @@ class Registrant::DomainUpdateConfirmsController < RegistrantController
                                                           domain_name: @domain.name,
                                                           verification_token: params[:token])
 
-    initiator = current_user ? current_user.username : t(:user_not_authenticated)
+    initiator = current_registrant_user ? current_registrant_user.username : t(:user_not_authenticated)
 
     if params[:rejected]
       if @registrant_verification.domain_registrant_change_reject!("email link, #{initiator}")

app/controllers/registrant/domains_controller.rb

@@ -54,13 +54,13 @@ class Registrant::DomainsController < RegistrantController
   end
 
   def domains
-    ident_cc, ident = @current_user.registrant_ident.split '-'
+    ident_cc, ident = current_registrant_user.registrant_ident.split '-'
     begin
       BusinessRegistryCache.fetch_associated_domains ident, ident_cc
     rescue Soap::Arireg::NotAvailableError => error
       flash[:notice] = I18n.t(error.json[:message])
       Rails.logger.fatal("[EXCEPTION] #{error.to_s}")
-      current_user.domains
+      current_registrant_user.domains
     end
   end
 

app/controllers/registrant/sessions_controller.rb

@@ -1,7 +1,7 @@
 class Registrant::SessionsController < Devise::SessionsController
   layout 'registrant/application'
 
-  def login
+  def new
   end
 
   def id
@@ -10,11 +10,10 @@ class Registrant::SessionsController < Devise::SessionsController
 
     @user = RegistrantUser.find_or_create_by_idc_data(id_code, id_issuer)
     if @user
-      sign_in(@user, event: :authentication)
+      sign_in_and_redirect(:registrant_user, @user, event: :authentication)
-      redirect_to registrant_root_url
     else
       flash[:alert] = t('login_failed_check_id_card')
-      redirect_to registrant_login_url
+      redirect_to new_registrant_user_session_url
     end
   end
 
@@ -68,7 +67,7 @@ class Registrant::SessionsController < Devise::SessionsController
     when 'USER_AUTHENTICATED'
       @user = RegistrantUser.find_by(registrant_ident: "#{session[:user_country]}-#{session[:user_id_code]}")
 
-      sign_in @user
+      sign_in(:registrant_user, @user)
       flash[:notice] = t(:welcome)
       flash.keep(:notice)
       render js: "window.location = '#{registrant_root_path}'"
@@ -97,4 +96,14 @@ class Registrant::SessionsController < Devise::SessionsController
     return User.new unless idc
     ApiUser.find_by(identity_code: idc) || User.new
   end
+
+  private
+
+  def after_sign_in_path_for(resource_or_scope)
+    registrant_root_path
+  end
+
+  def after_sign_out_path_for(resource_or_scope)
+    new_registrant_user_session_path
+  end
 end

app/controllers/registrant_controller.rb

@@ -1,11 +1,22 @@
 class RegistrantController < ApplicationController
-  before_action :authenticate_user!
+  before_action :authenticate_registrant_user!
   layout 'registrant/application'
 
   include Registrant::ApplicationHelper
 
   helper_method :head_title_sufix
+
   def head_title_sufix
     t(:registrant_head_title_sufix)
   end
+
+  private
+
+  def current_ability
+    @current_ability ||= Ability.new(current_registrant_user, request.remote_ip)
+  end
+
+  def user_for_paper_trail
+    current_registrant_user.present? ? current_registrant_user.id_role_username : 'public'
+  end
 end

app/controllers/registrar/account_activities_controller.rb

@@ -4,7 +4,7 @@ class Registrar
 
     def index
       params[:q] ||= {}
-      account = current_user.registrar.cash_account
+      account = current_registrar_user.registrar.cash_account
 
       ca_cache = params[:q][:created_at_lteq]
       begin

app/controllers/registrar/base_controller.rb

@@ -2,7 +2,7 @@ class Registrar
   class BaseController < ApplicationController
     include Registrar::ApplicationHelper
 
-    before_action :authenticate_user!
+    before_action :authenticate_registrar_user!
     before_action :check_ip_restriction
     helper_method :depp_controller?
     helper_method :head_title_sufix
@@ -10,21 +10,21 @@ class Registrar
     protected
 
     def current_ability
-      @current_ability ||= Ability.new(current_user, request.remote_ip)
+      @current_ability ||= Ability.new(current_registrar_user, request.remote_ip)
     end
 
     private
 
     def check_ip_restriction
       ip_restriction = Authorization::RestrictedIP.new(request.ip)
-      allowed = ip_restriction.can_access_registrar_area?(current_user.registrar)
+      allowed = ip_restriction.can_access_registrar_area?(current_registrar_user.registrar)
 
       return if allowed
 
-      sign_out current_user
+      sign_out current_registrar_user
 
       flash[:alert] = t('registrar.authorization.ip_not_allowed', ip: request.ip)
-      redirect_to registrar_login_url
+      redirect_to new_registrar_user_session_url
     end
 
     def depp_controller?
@@ -34,5 +34,9 @@ class Registrar
     def head_title_sufix
       t(:registrar_head_title_sufix)
     end
+
+    def user_for_paper_trail
+      current_registrar_user.present? ? current_registrar_user.id_role_username : 'public'
+    end
   end
 end

app/controllers/registrar/bulk_change_controller.rb

@@ -10,7 +10,7 @@ class Registrar
     private
 
     def available_contacts
-      current_user.registrar.contacts.order(:name).pluck(:name, :code)
+      current_registrar_user.registrar.contacts.order(:name).pluck(:name, :code)
     end
 
     def default_tab

app/controllers/registrar/contacts_controller.rb

@@ -21,11 +21,11 @@ class Registrar
       end
 
       if params[:statuses_contains]
-        contacts = current_user.registrar.contacts.includes(:registrar).where(
+        contacts = current_registrar_user.registrar.contacts.includes(:registrar).where(
           "contacts.statuses @> ?::varchar[]", "{#{params[:statuses_contains].join(',')}}"
         )
       else
-        contacts = current_user.registrar.contacts.includes(:registrar)
+        contacts = current_registrar_user.registrar.contacts.includes(:registrar)
       end
 
       normalize_search_parameters do
@@ -45,7 +45,7 @@ class Registrar
         @contacts = Contact.find_by(name: params[:q][:name_matches])
       end
 
-      contacts = current_user.registrar.contacts.includes(:registrar)
+      contacts = current_registrar_user.registrar.contacts.includes(:registrar)
       contacts = contacts.filter_by_states(params[:statuses_contains]) if params[:statuses_contains]
 
       normalize_search_parameters do

app/controllers/registrar/current_user_controller.rb

@@ -3,9 +3,9 @@ class Registrar
     skip_authorization_check
 
     def switch
-      raise 'Cannot switch to unlinked user' unless current_user.linked_with?(new_user)
+      raise 'Cannot switch to unlinked user' unless current_registrar_user.linked_with?(new_user)
 
-      sign_in(new_user)
+      sign_in(:registrar_user, new_user)
       redirect_to :back, notice: t('.switched', new_user: new_user)
     end
 

app/controllers/registrar/deposits_controller.rb

@@ -7,7 +7,7 @@ class Registrar
     end
 
     def create
-      @deposit = Deposit.new(deposit_params.merge(registrar: current_user.registrar))
+      @deposit = Deposit.new(deposit_params.merge(registrar: current_registrar_user.registrar))
       @invoice = @deposit.issue_prepayment_invoice
 
       if @invoice&.persisted?

app/controllers/registrar/depp_controller.rb

@@ -5,13 +5,13 @@ class Registrar
     rescue_from(Errno::ECONNRESET, Errno::ECONNREFUSED) do |exception|
       logger.error 'COULD NOT CONNECT TO REGISTRY'
       logger.error exception.backtrace.join("\n")
-      redirect_to registrar_login_url, alert: t(:no_connection_to_registry)
+      redirect_to new_registrar_user_session_url, alert: t(:no_connection_to_registry)
     end
 
     before_action :authenticate_user
 
     def authenticate_user
-      redirect_to registrar_login_url and return unless depp_current_user
+      redirect_to new_registrar_user_session_url and return unless depp_current_user
     end
 
     def depp_controller?
@@ -19,10 +19,10 @@ class Registrar
     end
 
     def depp_current_user
-      return nil unless current_user
+      return nil unless current_registrar_user
       @depp_current_user ||= Depp::User.new(
-        tag: current_user.username,
+        tag: current_registrar_user.username,
-        password: current_user.password
+        password: current_registrar_user.password
       )
     end
 

app/controllers/registrar/domain_transfers_controller.rb

@@ -21,7 +21,7 @@ class Registrar
         uri = URI.parse("#{ENV['repp_url']}domain_transfers")
         request = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')
         request.body = { data: { domainTransfers: domain_transfers } }.to_json
-        request.basic_auth(current_user.username, current_user.password)
+        request.basic_auth(current_registrar_user.username, current_registrar_user.password)
 
 
         if Rails.env.test?

app/controllers/registrar/domains_controller.rb

@@ -16,11 +16,11 @@ class Registrar
       end
 
       if params[:statuses_contains]
-        domains = current_user.registrar.domains.includes(:registrar, :registrant).where(
+        domains = current_registrar_user.registrar.domains.includes(:registrar, :registrant).where(
           "statuses @> ?::varchar[]", "{#{params[:statuses_contains].join(',')}}"
         )
       else
-        domains = current_user.registrar.domains.includes(:registrar, :registrant)
+        domains = current_registrar_user.registrar.domains.includes(:registrar, :registrant)
       end
 
       normalize_search_parameters do
@@ -142,7 +142,7 @@ class Registrar
     def search_contacts
       authorize! :create, Depp::Domain
 
-      scope = current_user.registrar.contacts.limit(10)
+      scope = current_registrar_user.registrar.contacts.limit(10)
       if params[:query].present?
         escaped_str = ActiveRecord::Base.connection.quote_string params[:query]
         scope = scope.where("name ilike '%#{escaped_str}%' OR code ilike '%#{escaped_str}%' ")
@@ -159,7 +159,7 @@ class Registrar
 
 
     def contacts
-      current_user.registrar.contacts
+      current_registrar_user.registrar.contacts
     end
 
     def normalize_search_parameters

app/controllers/registrar/invoices_controller.rb

@@ -6,7 +6,7 @@ class Registrar
 
     def index
       params[:q] ||= {}
-      invoices = current_user.registrar.invoices.includes(:invoice_items, :account_activity)
+      invoices = current_registrar_user.registrar.invoices.includes(:invoice_items, :account_activity)
 
       normalize_search_parameters do
         @q = invoices.search(params[:q])

app/controllers/registrar/nameservers_controller.rb

@@ -12,7 +12,7 @@ class Registrar
                                attributes: { hostname: params[:new_hostname],
                                              ipv4: ipv4,
                                              ipv6: ipv6 } } }.to_json
-      request.basic_auth(current_user.username, current_user.password)
+      request.basic_auth(current_registrar_user.username, current_registrar_user.password)
 
       if Rails.env.test?
         response = Net::HTTP.start(uri.hostname, uri.port,

app/controllers/registrar/profile_controller.rb

@@ -5,13 +5,13 @@ class Registrar
     helper_method :linked_users
 
     def show
-      @user = current_user
+      @user = current_registrar_user
     end
 
     private
 
     def linked_users
-      current_user.linked_users
+      current_registrar_user.linked_users
     end
   end
 end

app/controllers/registrar/sessions_controller.rb

@@ -3,7 +3,7 @@ class Registrar
     before_action :check_ip_restriction
     helper_method :depp_controller?
 
-    def login
+    def new
       @depp_user = Depp::User.new
     end
 
@@ -30,7 +30,7 @@ class Registrar
 
       unless @api_user
         @depp_user.errors.add(:base, t(:no_such_user))
-        render 'login' and return
+        render :new and return
       end
 
       if @depp_user.pki
@@ -41,14 +41,13 @@ class Registrar
 
       if @depp_user.errors.none?
         if @api_user.active?
-          sign_in @api_user
+          sign_in_and_redirect(:registrar_user, @api_user)
-          redirect_to registrar_root_url
         else
           @depp_user.errors.add(:base, :not_active)
-          render 'login'
+          render :new
         end
       else
-        render 'login'
+        render :new
       end
     end
 
@@ -56,11 +55,10 @@ class Registrar
       @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'], request.ip)
 
       if @user
-        sign_in(@user, event: :authentication)
+        sign_in_and_redirect(:registrar_user, @user, event: :authentication)
-        redirect_to registrar_root_url
       else
         flash[:alert] = t('no_such_user')
-        redirect_to registrar_login_url
+        redirect_to new_registrar_user_session_url
       end
     end
 
@@ -117,7 +115,7 @@ class Registrar
           render json: { message: t(:check_your_phone_for_confirmation_code) }, status: :ok
         when 'USER_AUTHENTICATED'
           @user = find_user_by_idc_and_allowed(session[:user_id_code])
-          sign_in @user
+          sign_in(:registrar_user, @user)
           flash[:notice] = t(:welcome)
           flash.keep(:notice)
           render js: "window.location = '#{registrar_root_url}'"
@@ -163,8 +161,6 @@ class Registrar
       end
     end
 
-
-
     def check_ip_restriction
       ip_restriction = Authorization::RestrictedIP.new(request.ip)
       allowed = ip_restriction.can_access_registrar_area_sign_in_page?
@@ -173,5 +169,13 @@ class Registrar
 
       render text: t('registrar.authorization.ip_not_allowed', ip: request.ip)
     end
+
+    def after_sign_in_path_for(resource_or_scope)
+      registrar_root_path
+    end
+
+    def after_sign_out_path_for(resource_or_scope)
+      new_registrar_user_session_path
+    end
   end
 end

app/controllers/registrar/tech_contacts_controller.rb

@@ -8,7 +8,7 @@ class Registrar
       request = Net::HTTP::Patch.new(uri)
       request.set_form_data(current_contact_id: params[:current_contact_id],
                             new_contact_id: params[:new_contact_id])
-      request.basic_auth(current_user.username, current_user.password)
+      request.basic_auth(current_registrar_user.username, current_registrar_user.password)
 
       if Rails.env.test?
         response = Net::HTTP.start(uri.hostname, uri.port,

app/views/admin/base/_menu.haml

@@ -41,4 +41,4 @@
 
   - if signed_in?
     %ul.nav.navbar-nav.navbar-right
-      %li= link_to t(:log_out, user: current_user), '/admin/logout'
+      %li= link_to t(:log_out, user: current_admin_user), destroy_admin_user_session_path, method: :delete, class: 'navbar-link'

app/views/admin/sessions/new.haml

@@ -3,7 +3,7 @@
     %h2.form-signin-heading.text-center Eesti Interneti SA
     %hr
     .form-signin
-      = form_for(@admin_user, url: admin_sessions_path, method: :create, html: {class: 'form-signin'}) do |f|
+      = form_for(@admin_user, url: admin_user_session_path, html: {class: 'form-signin'}) do |f|
         = render 'admin/shared/errors', object: f.object
 
         - error_class = f.object.errors.any? ? 'has-error' : ''

app/views/layouts/devise.haml

@@ -18,7 +18,7 @@
             %span.icon-bar
             %span.icon-bar
             %span.icon-bar
-          = link_to admin_login_path, class: 'navbar-brand' do
+          = link_to new_admin_user_session_path, class: 'navbar-brand' do
             = ENV['app_name']
             - if unstable_env.present?
               .text-center

app/views/layouts/registrant/application.html.erb

@@ -37,7 +37,7 @@
                         <% end %>
                     <% end %>
                 </div>
-                <% if current_user %>
+                <% if current_registrant_user %>
                     <div class="navbar-collapse collapse">
                         <ul class="nav navbar-nav public-nav">
                             <% if can? :view, Depp::Domain %>
@@ -54,9 +54,9 @@
                             <% end %>
                         </ul>
                         <ul class="nav navbar-nav navbar-right">
-                            <% if user_signed_in? %>
+                            <% if registrant_user_signed_in? %>
                                 <li>
-                                    <%= link_to t(:log_out, user: current_user), '/registrant/logout' %>
+                                    <%= link_to t(:log_out, user: current_registrant_user), destroy_registrant_user_session_path, method: :delete %>
                                 </li>
                             <% end %>
                         </ul>

app/views/registrar/base/_current_user.html.erb

@@ -1,5 +1,5 @@
-<% current_user_presenter = UserPresenter.new(user: current_user, view: self) %>
+<% current_user_presenter = UserPresenter.new(user: current_registrar_user, view: self) %>
 <%= link_to current_user_presenter.login_with_role, registrar_profile_path, id: 'registrar-profile-btn',
             class: 'navbar-link' %>
 <span class="text-muted">|</span>
-<%= link_to t('.sign_out'), registrar_destroy_user_session_path, method: :delete, class: 'navbar-link' %>
+<%= link_to t('.sign_out'), destroy_registrar_user_session_path, method: :delete, class: 'navbar-link' %>

app/views/registrar/invoices/index.haml

@@ -4,8 +4,8 @@
 = render 'shared/title', name: t(:your_account)
 
 = t(:your_current_account_balance_is,
-  balance: currency(current_user.registrar.cash_account.balance),
+  balance: currency(current_registrar_user.registrar.cash_account.balance),
-  currency: current_user.registrar.cash_account.currency)
+  currency: current_registrar_user.registrar.cash_account.currency)
 
 %h1= t(:invoices)
 .row

app/views/registrar/sessions/new.haml

@@ -2,7 +2,7 @@
   .form-signin.col-md-6.center-block.text-center
     %h2.form-signin-heading.text-center= t(:log_in)
     %hr
-    = form_for @depp_user, url: registrar_sessions_path, html: {class: 'form-signin'} do |f|
+    = form_for @depp_user, url: registrar_user_session_path, html: {class: 'form-signin'} do |f|
       = render 'registrar/shared/errors', object: f.object
 
       - error_class = f.object.errors.any? ? 'has-error' : ''

config/locales/registrar/sessions.en.yml

@@ -1,7 +1,7 @@
 en:
   registrar:
     sessions:
-      login:
+      new:
         login_btn: Login
       login_mid:
         login_btn: Login

config/routes.rb

@@ -22,6 +22,16 @@ Rails.application.routes.draw do
   namespace :registrar do
     root 'dashboard#show'
 
+    devise_for :users, path: '', path_names: { sign_in: 'login', sign_out: 'logout' },
+               class_name: 'ApiUser'
+    devise_scope :registrar_user do
+      get 'login/mid' => 'sessions#login_mid'
+      post 'login/mid' => 'sessions#mid'
+      post 'login/mid_status' => 'sessions#mid_status'
+      post 'id' => 'sessions#id'
+      post 'mid' => 'sessions#mid'
+    end
+
     resources :invoices do
       member do
         get 'download_pdf'
@@ -33,18 +43,6 @@ Rails.application.routes.draw do
     resources :deposits
     resources :account_activities
 
-    devise_scope :user do
-      get 'login' => 'sessions#login'
-      get 'login/mid' => 'sessions#login_mid'
-      post 'login/mid' => 'sessions#mid'
-      post 'login/mid_status' => 'sessions#mid_status'
-
-      post 'sessions' => 'sessions#create'
-      post 'id' => 'sessions#id'
-      post 'mid' => 'sessions#mid'
-      delete 'logout', to: '/devise/sessions#destroy', as: :destroy_user_session
-    end
-
     put 'current_user/switch/:new_user_id', to: 'current_user#switch', as: :switch_current_user
     resource :profile, controller: :profile, only: :show
 
@@ -100,6 +98,16 @@ Rails.application.routes.draw do
   namespace :registrant do
     root 'domains#index'
 
+    devise_for :users, path: '', path_names: { sign_in: 'login', sign_out: 'logout' },
+               class_name: 'RegistrantUser'
+    devise_scope :registrant_user do
+      get 'login/mid' => 'sessions#login_mid'
+      post 'login/mid' => 'sessions#mid'
+      post 'login/mid_status' => 'sessions#mid_status'
+      post 'mid' => 'sessions#mid'
+      post 'id' => 'sessions#id'
+    end
+
     resources :domains, only: %i[index show] do
       collection do
         get :download_list
@@ -112,19 +120,6 @@ Rails.application.routes.draw do
 
     resources :domain_update_confirms
     resources :domain_delete_confirms
-
-    devise_scope :user do
-      get 'login' => 'sessions#login'
-      get 'login/mid' => 'sessions#login_mid'
-      post 'login/mid' => 'sessions#mid'
-      post 'login/mid_status' => 'sessions#mid_status'
-
-      post 'sessions' => 'sessions#create'
-      post 'mid' => 'sessions#mid'
-      post 'id' => 'sessions#id'
-      get 'logout' => '/devise/sessions#destroy'
-    end
-
     resources :domains do
       resources :registrant_verifications
       collection do
@@ -150,6 +145,8 @@ Rails.application.routes.draw do
   # ADMIN ROUTES
   namespace :admin do
     root 'dashboard#show'
+    devise_for :users, path: '', path_names: { sign_in: 'login', sign_out: 'logout' },
+               class_name: 'AdminUser'
 
     resources :keyrelays
     resources :zonefiles
@@ -251,18 +248,10 @@ Rails.application.routes.draw do
     resources :epp_logs
     resources :repp_logs
 
-    devise_scope :user do
+    authenticate :admin_user do
-      get 'login' => 'sessions#login'
-      post 'sessions' => 'sessions#create'
-      get 'logout' => '/devise/sessions#destroy'
-    end
-
-    authenticate :user do
       mount Que::Web, at: 'que'
     end
   end
 
-  devise_for :users
-
   root to: redirect('admin/login')
 end

doc/controllers_complete.svg

@@ -433,14 +433,6 @@
 <path fill="none" stroke="black" d="M-467.5,-480.5C-467.5,-480.5 -344.5,-480.5 -344.5,-480.5 -338.5,-480.5 -332.5,-486.5 -332.5,-492.5 -332.5,-492.5 -332.5,-681.5 -332.5,-681.5 -332.5,-687.5 -338.5,-693.5 -344.5,-693.5 -344.5,-693.5 -467.5,-693.5 -467.5,-693.5 -473.5,-693.5 -479.5,-687.5 -479.5,-681.5 -479.5,-681.5 -479.5,-492.5 -479.5,-492.5 -479.5,-486.5 -473.5,-480.5 -467.5,-480.5"/>
 <text text-anchor="middle" x="-406" y="-678.3" font-family="Times,serif" font-size="14.00">ApplicationController</text>
 <polyline fill="none" stroke="black" points="-479.5,-670.5 -332.5,-670.5 "/>
-<text text-anchor="start" x="-471.5" y="-655.3" font-family="Times,serif" font-size="14.00">admin_request?</text>
-<text text-anchor="start" x="-471.5" y="-640.3" font-family="Times,serif" font-size="14.00">after_sign_in_path_for</text>
-<text text-anchor="start" x="-471.5" y="-625.3" font-family="Times,serif" font-size="14.00">after_sign_out_path_for</text>
-<text text-anchor="start" x="-471.5" y="-610.3" font-family="Times,serif" font-size="14.00">api_user_log_str</text>
-<text text-anchor="start" x="-471.5" y="-595.3" font-family="Times,serif" font-size="14.00">current_root_url</text>
-<text text-anchor="start" x="-471.5" y="-565.3" font-family="Times,serif" font-size="14.00">registrant_request?</text>
-<text text-anchor="start" x="-471.5" y="-550.3" font-family="Times,serif" font-size="14.00">registrar_request?</text>
-<text text-anchor="start" x="-471.5" y="-535.3" font-family="Times,serif" font-size="14.00">user_for_paper_trail</text>
 <polyline fill="none" stroke="black" points="-479.5,-527.5 -332.5,-527.5 "/>
 <polyline fill="none" stroke="black" points="-479.5,-503.5 -332.5,-503.5 "/>
 <text text-anchor="start" x="-471.5" y="-488.3" font-family="Times,serif" font-size="14.00">_layout</text>

spec/features/registrar/home_link_spec.rb

@@ -2,7 +2,7 @@ require 'rails_helper'
 
 RSpec.feature 'Registrar area home link', db: true do
   scenario 'is visible' do
-    visit registrar_login_url
+    visit new_registrar_user_session_url
     expect(page).to have_link('registrar-home-btn', href: registrar_root_path)
   end
 end

spec/features/registrar/sign_in/mobile_id_spec.rb

@@ -9,7 +9,7 @@ RSpec.feature 'Mobile ID login', db: true do
   end
 
   scenario 'login with phone number' do
-    visit registrar_login_path
+    visit new_registrar_user_session_url
     click_on 'login-with-mobile-id-btn'
 
     fill_in 'user[phone]', with: '1234'

spec/features/registrar/sign_in/password_spec.rb

@@ -1,39 +0,0 @@
-require 'rails_helper'
-
-RSpec.feature 'Registrar area password sign-in' do
-  scenario 'signs in the user with valid credentials' do
-    create(:api_user_with_unlimited_balance,
-           active: true,
-           login: 'test',
-           password: 'testtest')
-
-    visit registrar_login_path
-    sign_in_with 'test', 'testtest'
-
-    expect(page).to have_text(t('registrar.base.current_user.sign_out'))
-  end
-
-  scenario 'notifies the user with invalid credentials' do
-    create(:api_user, login: 'test', password: 'testtest')
-
-    visit registrar_login_path
-    sign_in_with 'test', 'invalid'
-
-    expect(page).to have_text('No such user')
-  end
-
-  scenario 'notifies the user with inactive account' do
-    create(:api_user, active: false, login: 'test', password: 'testtest')
-
-    visit registrar_login_path
-    sign_in_with 'test', 'testtest'
-
-    expect(page).to have_text('User is not active')
-  end
-
-  def sign_in_with(username, password)
-    fill_in 'depp_user_tag', with: username
-    fill_in 'depp_user_password', with: password
-    click_button 'Login'
-  end
-end

spec/features/registrar/sign_out_spec.rb

@@ -1,14 +0,0 @@
-require 'rails_helper'
-
-RSpec.feature 'Registrar area sign-out', settings: false do
-  background do
-    sign_in_to_registrar_area(user: create(:api_user_with_unlimited_balance))
-  end
-
-  scenario 'signs the user out' do
-    visit registrar_root_path
-    click_on t('registrar.base.current_user.sign_out')
-
-    expect(page).to have_text('Signed out successfully.')
-  end
-end

spec/requests/registrar/ip_restriction_spec.rb

@@ -22,7 +22,7 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
       context 'when ip is allowed' do
         let!(:white_ip) { create(:white_ip,
                                  ipv4: '127.0.0.1',
-                                 registrar: controller.current_user.registrar,
+                                 registrar: controller.current_registrar_user.registrar,
                                  interfaces: [WhiteIp::REGISTRAR]) }
 
         specify do
@@ -36,12 +36,12 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
         it 'signs the user out' do
           get registrar_root_url
           follow_redirect!
-          expect(controller.current_user).to be_nil
+          expect(controller.current_registrar_user).to be_nil
         end
 
         it 'redirects to login url' do
           get registrar_root_url
-          expect(response).to redirect_to(registrar_login_url)
+          expect(response).to redirect_to(new_registrar_user_session_url)
         end
       end
     end
@@ -67,14 +67,14 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
                                  interfaces: [WhiteIp::REGISTRAR]) }
 
         specify do
-          get registrar_login_path
+          get new_registrar_user_session_path
           expect(response).to be_success
         end
       end
 
       context 'when ip is not allowed' do
         specify do
-          get registrar_login_path
+          get new_registrar_user_session_path
           expect(response.body).to match "Access denied"
         end
       end
@@ -82,7 +82,7 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
 
     context 'when IP restriction is disabled' do
       specify do
-        get registrar_login_path
+        get new_registrar_user_session_path
         expect(response).to be_success
       end
     end

spec/requests/registrar/linked_users_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe 'Registrar area linked users', db: false do
       let!(:current_user) { create(:api_user, id: 1, identity_code: 'code') }
 
       before do
-        sign_in_to_registrar_area(user: current_user)
+        sign_in current_user
       end
 
       context 'when ip is allowed' do
@@ -23,7 +23,7 @@ RSpec.describe 'Registrar area linked users', db: false do
           it 'signs in as a new user' do
             put '/registrar/current_user/switch/2', nil, { HTTP_REFERER: registrar_contacts_url }
             follow_redirect!
-            expect(controller.current_user.id).to eq(2)
+            expect(controller.current_registrar_user.id).to eq(2)
           end
 
           it 'redirects back' do
@@ -46,7 +46,6 @@ RSpec.describe 'Registrar area linked users', db: false do
               put '/registrar/current_user/switch/2', nil, { HTTP_REFERER: registrar_contacts_path }
             end
 
-            follow_redirect!
             expect(controller.current_user.id).to eq(1)
           end
         end
@@ -62,7 +61,7 @@ RSpec.describe 'Registrar area linked users', db: false do
 
         specify do
           put '/registrar/current_user/switch/2'
-          expect(response).to redirect_to(registrar_login_url)
+          expect(response).to redirect_to(new_registrar_user_session_url)
         end
       end
     end
@@ -70,7 +69,7 @@ RSpec.describe 'Registrar area linked users', db: false do
     context 'when user is not authenticated' do
       specify do
         put '/registrar/current_user/switch/2'
-        expect(response).to redirect_to(registrar_login_url)
+        expect(response).to redirect_to(new_registrar_user_session_url)
       end
     end
   end

spec/requests/registrar/sign_in/password_spec.rb

@@ -1,16 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe 'Registrar area password sign-in', settings: false do
-  let!(:user) { create(:api_user, active: true, login: 'test', password: 'testtest') }
-
-  it 'signs the user in' do
-    post registrar_sessions_path, depp_user: { tag: 'test', password: 'testtest' }
-    follow_redirect!
-    expect(controller.current_user).to eq(user)
-  end
-
-  it 'redirects to root url' do
-    post registrar_sessions_path, depp_user: { tag: 'test', password: 'testtest' }
-    expect(response).to redirect_to(registrar_root_url)
-  end
-end

spec/requests/registrar/sign_out_spec.rb

@@ -1,18 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe 'Registrar area sign-out', settings: false do
-  before do
-    sign_in_to_registrar_area
-  end
-
-  it 'signs the user out' do
-    delete registrar_destroy_user_session_path
-    follow_redirect!
-    expect(controller.current_user).to be_nil
-  end
-
-  it 'redirects to login url' do
-    delete registrar_destroy_user_session_path
-    expect(response).to redirect_to(registrar_login_url)
-  end
-end

spec/support/features/session_helpers.rb

@@ -1,7 +1,7 @@
 module Features
   module SessionHelpers
     def sign_in_to_admin_area(user: create(:admin_user))
-      visit admin_login_url
+      visit new_admin_user_session_url
 
       fill_in 'admin_user[username]', with: user.username
       fill_in 'admin_user[password]', with: user.password
@@ -10,7 +10,7 @@ module Features
     end
 
     def sign_in_to_registrar_area(user: create(:api_user))
-      visit registrar_login_url
+      visit new_registrar_user_session_url
 
       fill_in 'depp_user_tag', with: user.username
       fill_in 'depp_user_password', with: user.password

spec/support/requests/session_helpers.rb

@@ -1,11 +1,11 @@
 module Requests
   module SessionHelpers
     def sign_in_to_admin_area(user: create(:admin_user))
-      post admin_sessions_path, admin_user: { username: user.username, password: user.password }
+      post admin_user_session_path, admin_user: { username: user.username, password: user.password }
     end
 
     def sign_in_to_registrar_area(user: create(:api_user))
-      post registrar_sessions_path, { depp_user: { tag: user.username, password: user.password } }
+      post registrar_user_session_path, { depp_user: { tag: user.username, password: user.password } }
     end
   end
 end

test/integration/admin/login_test.rb

@@ -0,0 +1,27 @@
+require 'test_helper'
+
+class AdminAreaLoginTest < ActionDispatch::IntegrationTest
+  def setup
+    @user = users(:admin)
+  end
+
+  def test_correct_username_and_password
+    visit new_admin_user_session_url
+    fill_in 'admin_user_username', with: @user.username
+    fill_in 'admin_user_password', with: 'testtest'
+    click_button 'Log in'
+
+    assert_text 'Log out'
+    assert_current_path admin_root_path
+  end
+
+  def test_wrong_password
+    visit new_admin_user_session_url
+    fill_in 'admin_user_username', with: @user.username
+    fill_in 'admin_user_password', with: 'wrong'
+    click_button 'Log in'
+
+    assert_text 'Authorization error'
+    assert_current_path new_admin_user_session_path
+  end
+end

test/integration/admin/logout_test.rb

@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class AdminAreaLogoutTest < ActionDispatch::IntegrationTest
+  def setup
+    sign_in users(:admin)
+  end
+
+  def test_logout
+    visit admin_root_url
+    click_on 'Log out'
+
+    assert_text 'Signed out successfully'
+    assert_current_path new_admin_user_session_path
+  end
+end

test/integration/admin/protected_area_test.rb

@@ -0,0 +1,22 @@
+require 'test_helper'
+
+class AdminAreaProtectedAreaTest < ActionDispatch::IntegrationTest
+  def test_unauthenticated_user_is_asked_to_authenticate_when_navigating_to_protected_area
+    visit admin_domains_url
+    assert_text 'You need to sign in before continuing'
+    assert_current_path new_admin_user_session_path
+  end
+
+  def test_authenticated_user_can_access_protected_area
+    sign_in users(:admin)
+    visit admin_domains_url
+    assert_current_path admin_domains_path
+  end
+
+  def test_authenticated_user_is_not_asked_to_authenticate_again
+    sign_in users(:admin)
+    visit new_admin_user_session_url
+    assert_text 'You are already signed in'
+    assert_current_path admin_root_path
+  end
+end

test/integration/registrar/login_test.rb

@@ -0,0 +1,39 @@
+require 'test_helper'
+
+class RegistrarAreaLoginTest < ActionDispatch::IntegrationTest
+  def setup
+    @user = users(:api_bestnames)
+  end
+
+  def test_correct_username_and_password
+    visit new_registrar_user_session_url
+    fill_in 'depp_user_tag', with: @user.username
+    fill_in 'depp_user_password', with: 'testtest'
+    click_button 'Login'
+
+    assert_text 'Log out'
+    assert_current_path registrar_root_path
+  end
+
+  def test_wrong_password
+    visit new_registrar_user_session_url
+    fill_in 'depp_user_tag', with: @user.username
+    fill_in 'depp_user_password', with: 'wrong'
+    click_button 'Login'
+
+    assert_text 'No such user'
+    assert_current_path new_registrar_user_session_path
+  end
+
+  def test_inactive_user
+    @user.update!(active: false)
+
+    visit new_registrar_user_session_url
+    fill_in 'depp_user_tag', with: @user.username
+    fill_in 'depp_user_password', with: 'testtest'
+    click_button 'Login'
+
+    assert_text 'User is not active'
+    assert_current_path new_registrar_user_session_path
+  end
+end

test/integration/registrar/logout_test.rb

@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class RegistrarAreaLogoutTest < ActionDispatch::IntegrationTest
+  def setup
+    sign_in users(:api_bestnames)
+  end
+
+  def test_logout
+    visit registrar_root_url
+    click_on 'Log out'
+
+    assert_text 'Signed out successfully'
+    assert_current_path new_registrar_user_session_path
+  end
+end

test/integration/registrar/protected_area_test.rb

@@ -0,0 +1,22 @@
+require 'test_helper'
+
+class RegistrarAreaProtectedAreaTest < ActionDispatch::IntegrationTest
+  def test_unauthenticated_user_is_asked_to_authenticate_when_navigating_to_protected_area
+    visit registrar_domains_url
+    assert_text 'You need to sign in before continuing'
+    assert_current_path new_registrar_user_session_path
+  end
+
+  def test_authenticated_user_can_access_protected_area
+    sign_in users(:api_bestnames)
+    visit registrar_domains_url
+    assert_current_path registrar_domains_path
+  end
+
+  def test_authenticated_user_is_not_asked_to_authenticate_again
+    sign_in users(:api_bestnames)
+    visit new_registrar_user_session_url
+    assert_text 'You are already signed in'
+    assert_current_path registrar_root_path
+  end
+end