pkce auth

Author: karissarjacobsen

.github/workflows/rubyonrails.yml

@@ -1,41 +1,47 @@
-# This workflow uses actions that are not certified by GitHub.  They are
-# provided by a third-party and are governed by separate terms of service,
-# privacy policy, and support documentation.
-#
-# This workflow will install a prebuilt Ruby version, install dependencies, and
-# run tests and linters.
-name: "Ruby on Rails CI"
-on:
-  push:
-    branches: [ "master" ]
-  pull_request:
-    branches: [ "master" ]
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-        
-      - name: Install Ruby and gems
-        uses: ruby/setup-ruby@v1
-        with:
-          bundler-cache: true
-          ruby-version: 3.1.2
-
-      - name: Run linter
-        run: bundle exec rubocop --parallel
-
-      - name: Run tests
-        run: |
-          gem install docusign_esign
-          gem install docusign_click
-          ruby test/run_tests.rb
-        env:
-          CLIENT_ID: ${{ secrets.CLIENT_ID }}
-          USER_ID: ${{ secrets.USER_ID }}
-          SIGNER_EMAIL: ${{ secrets.SIGNER_EMAIL }}
-          SIGNER_NAME: ${{ secrets.SIGNER_NAME }}
-          PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
-
+# This workflow uses actions that are not certified by GitHub.  They are
+# provided by a third-party and are governed by separate terms of service,
+# privacy policy, and support documentation.
+#
+# This workflow will install a prebuilt Ruby version, install dependencies, and
+# run tests and linters.
+name: "Ruby on Rails CI"
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        
+      - name: Install Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: false
+          ruby-version: 3.1.2
+
+      - name: Update rubygems
+        run: gem update --system
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Run linter
+        run: bundle exec rubocop --parallel
+
+      - name: Run tests
+        run: |
+          gem install docusign_esign
+          gem install docusign_click
+          ruby test/run_tests.rb
+        env:
+          CLIENT_ID: ${{ secrets.CLIENT_ID }}
+          USER_ID: ${{ secrets.USER_ID }}
+          SIGNER_EMAIL: ${{ secrets.SIGNER_EMAIL }}
+          SIGNER_NAME: ${{ secrets.SIGNER_NAME }}
+          PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
+

app/controllers/admin_api/aeg001_create_user_controller.rb

@@ -1,67 +1,67 @@
-class AdminApi::Aeg001CreateUserController < EgController
-  include ApiCreator
-  before_action -> { check_auth('Admin') }
-  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 1, 'Admin') }
-
-  def create
-    args = {
-      account_id: session['ds_account_id'],
-      base_path: session['ds_base_path'],
-      access_token: session['ds_access_token'],
-      organization_id: session['organization_id']
-    }
-    #ds-snippet-start:Admin1Step5
-    user_data = {
-      user_name: param_gsub(params['user_name']),
-      first_name: param_gsub(params['first_name']),
-      last_name: param_gsub(params['last_name']),
-      email: param_gsub(params['email']),
-      auto_activate_memberships: true,
-      accounts: [
-        {
-          id: args[:account_id],
-          permission_profile: {
-            id: request['permission_profile_id']
-          },
-          groups: [
-            {
-              id: request['group_id']
-            }
-          ]
-        }
-      ]
-    }
-    #ds-snippet-end:Admin1Step5
-
-    begin
-      results = AdminApi::Eg001CreateUserService.new(args, user_data).worker
-
-      @title = @example['ExampleName']
-      @message = @example['ResultsPageText']
-      @json = results.to_json.to_json
-      render 'ds_common/example_done'
-    rescue DocuSign_Admin::ApiError => e
-      handle_error(e)
-    end
-  end
-
-  def get
-    super
-    session[:organization_id] = AdminApi::GetDataService.new(session).get_organization_id if session[:organization_id].nil?
-    args = {
-      account_id: session['ds_account_id'],
-      base_path: session['ds_base_path'],
-      access_token: session['ds_access_token']
-    }
-
-    #ds-snippet-start:Admin1Step3
-    accounts_api = create_account_api(args)
-    @permission_profiles = accounts_api.list_permissions(args[:account_id]).permission_profiles
-    #ds-snippet-end:Admin1Step3
-
-    #ds-snippet-start:Admin1Step4
-    groups_api = create_group_api(args)
-    @groups = groups_api.list_groups(args[:account_id]).groups
-    #ds-snippet-end:Admin1Step4
-  end
-end
+class AdminApi::Aeg001CreateUserController < EgController
+  include ApiCreator
+  before_action -> { check_auth('Admin') }
+  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 1, 'Admin') }
+
+  def create
+    args = {
+      account_id: session['ds_account_id'],
+      base_path: session['ds_base_path'],
+      access_token: session['ds_access_token'],
+      organization_id: session['organization_id']
+    }
+    #ds-snippet-start:Admin1Step5
+    user_data = {
+      user_name: param_gsub(params['user_name']),
+      first_name: param_gsub(params['first_name']),
+      last_name: param_gsub(params['last_name']),
+      email: param_gsub(params['email']),
+      auto_activate_memberships: true,
+      accounts: [
+        {
+          id: args[:account_id],
+          permission_profile: {
+            id: param_gsub(params['permission_profile_id'])
+          },
+          groups: [
+            {
+              id: param_gsub(params['group_id'])
+            }
+          ]
+        }
+      ]
+    }
+    #ds-snippet-end:Admin1Step5
+
+    begin
+      results = AdminApi::Eg001CreateUserService.new(args, user_data).worker
+
+      @title = @example['ExampleName']
+      @message = @example['ResultsPageText']
+      @json = results.to_json.to_json
+      render 'ds_common/example_done'
+    rescue DocuSign_Admin::ApiError => e
+      handle_error(e)
+    end
+  end
+
+  def get
+    super
+    session[:organization_id] = AdminApi::GetDataService.new(session).get_organization_id if session[:organization_id].nil?
+    args = {
+      account_id: session['ds_account_id'],
+      base_path: session['ds_base_path'],
+      access_token: session['ds_access_token']
+    }
+
+    #ds-snippet-start:Admin1Step3
+    accounts_api = create_account_api(args)
+    @permission_profiles = accounts_api.list_permissions(args[:account_id]).permission_profiles
+    #ds-snippet-end:Admin1Step3
+
+    #ds-snippet-start:Admin1Step4
+    groups_api = create_group_api(args)
+    @groups = groups_api.list_groups(args[:account_id]).groups
+    #ds-snippet-end:Admin1Step4
+  end
+end

app/controllers/clickwrap/ceg001_create_clickwrap_controller.rb

@@ -1,24 +1,24 @@
-class Clickwrap::Ceg001CreateClickwrapController < EgController
-  before_action -> { check_auth('Click') }
-  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 1, 'Click') }
-
-  def create
-    args = {
-      account_id: session[:ds_account_id],
-      base_path: session[:ds_base_path],
-      access_token: session[:ds_access_token],
-      doc_pdf: File.join('data', Rails.configuration.doc_terms_pdf),
-      clickwrap_name: request[:clickwrapName]
-    }
-
-    results = Clickwrap::Eg001CreateClickwrapService.new(args).worker
-
-    session[:clickwrap_id] = results.clickwrap_id
-    session[:clickwrap_name] = results.clickwrap_name
-
-    @title = @example['ExampleName']
-    @message = format_string(@example['ResultsPageText'], results.clickwrap_name)
-    @json = results.to_json.to_json
-    render 'ds_common/example_done'
-  end
-end
+class Clickwrap::Ceg001CreateClickwrapController < EgController
+  before_action -> { check_auth('Click') }
+  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 1, 'Click') }
+
+  def create
+    args = {
+      account_id: session[:ds_account_id],
+      base_path: session[:ds_base_path],
+      access_token: session[:ds_access_token],
+      doc_pdf: File.join('data', Rails.configuration.doc_terms_pdf),
+      clickwrap_name: param_gsub(params[:clickwrapName])
+    }
+
+    results = Clickwrap::Eg001CreateClickwrapService.new(args).worker
+
+    session[:clickwrap_id] = results.clickwrap_id
+    session[:clickwrap_name] = results.clickwrap_name
+
+    @title = @example['ExampleName']
+    @message = format_string(@example['ResultsPageText'], results.clickwrap_name)
+    @json = results.to_json.to_json
+    render 'ds_common/example_done'
+  end
+end

app/controllers/clickwrap/ceg005_clickwrap_responses_controller.rb

@@ -1,21 +1,21 @@
-class Clickwrap::Ceg005ClickwrapResponsesController < EgController
-  before_action -> { check_auth('Click') }
-  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 5, 'Click') }
-
-  def create
-    args = {
-      account_id: session[:ds_account_id],
-      base_path: session[:ds_base_path],
-      access_token: session[:ds_access_token],
-      clickwrap_id: session[:clickwrap_id],
-      client_user_id: request[:client_user_id]
-    }
-
-    results = Clickwrap::Eg005ClickwrapResponsesService.new(args).worker
-
-    @title = @example['ExampleName']
-    @message = @example['ResultsPageText']
-    @json = results.to_json.to_json
-    render 'ds_common/example_done'
-  end
-end
+class Clickwrap::Ceg005ClickwrapResponsesController < EgController
+  before_action -> { check_auth('Click') }
+  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 5, 'Click') }
+
+  def create
+    args = {
+      account_id: session[:ds_account_id],
+      base_path: session[:ds_base_path],
+      access_token: session[:ds_access_token],
+      clickwrap_id: session[:clickwrap_id],
+      client_user_id: param_gsub(params[:client_user_id])
+    }
+
+    results = Clickwrap::Eg005ClickwrapResponsesService.new(args).worker
+
+    @title = @example['ExampleName']
+    @message = @example['ResultsPageText']
+    @json = results.to_json.to_json
+    render 'ds_common/example_done'
+  end
+end

app/controllers/e_sign/eeg032_pauses_signature_workflow_controller.rb

@@ -1,39 +1,39 @@
-# frozen_string_literal: true
-
-class ESign::Eeg032PausesSignatureWorkflowController < EgController
-  before_action -> { check_auth('eSignature') }
-  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 32, 'eSignature') }
-
-  def create
-    signers = {
-      signerEmail1: request['signerEmail1'],
-      signerName1: request['signerName1'],
-      signerEmail2: request['signerEmail2'],
-      signerName2: request['signerName2']
-    }
-    args = {
-      accountId: session['ds_account_id'],
-      basePath: session['ds_base_path'],
-      accessToken: session['ds_access_token'],
-      status: 'sent'
-    }
-
-    results = ESign::Eg032PausesSignatureWorkflowService.new(args, signers).worker
-
-    @envelop_id = results.to_hash[:envelopeId].to_s
-    session[:envelope_id] = @envelop_id
-
-    render 'e_sign/eeg032_pauses_signature_workflow/return'
-  end
-
-  def get
-    enableCFR = ESign::GetDataService.new(session[:ds_access_token], session[:ds_base_path]).cfr?(session[:ds_account_id])
-    if enableCFR == 'enabled'
-      session[:status_cfr] = 'enabled'
-      @title = 'Not CFR Part 11 compatible'
-      @error_information = @manifest['SupportingTexts']['CFRError']
-      render 'ds_common/error'
-    end
-    super
-  end
-end
+# frozen_string_literal: true
+
+class ESign::Eeg032PausesSignatureWorkflowController < EgController
+  before_action -> { check_auth('eSignature') }
+  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 32, 'eSignature') }
+
+  def create
+    signers = {
+      signerEmail1: param_gsub(params['signerEmail1']),
+      signerName1: param_gsub(params['signerName1']),
+      signerEmail2: param_gsub(params['signerEmail2']),
+      signerName2: param_gsub(params['signerName2'])
+    }
+    args = {
+      accountId: session['ds_account_id'],
+      basePath: session['ds_base_path'],
+      accessToken: session['ds_access_token'],
+      status: 'sent'
+    }
+
+    results = ESign::Eg032PausesSignatureWorkflowService.new(args, signers).worker
+
+    @envelop_id = results.to_hash[:envelopeId].to_s
+    session[:envelope_id] = @envelop_id
+
+    render 'e_sign/eeg032_pauses_signature_workflow/return'
+  end
+
+  def get
+    enableCFR = ESign::GetDataService.new(session[:ds_access_token], session[:ds_base_path]).cfr?(session[:ds_account_id])
+    if enableCFR == 'enabled'
+      session[:status_cfr] = 'enabled'
+      @title = 'Not CFR Part 11 compatible'
+      @error_information = @manifest['SupportingTexts']['CFRError']
+      render 'ds_common/error'
+    end
+    super
+  end
+end

app/controllers/e_sign/eeg034_use_conditional_recipients_controller.rb

@@ -1,50 +1,50 @@
-# frozen_string_literal: true
-
-class ESign::Eeg034UseConditionalRecipientsController < EgController
-  before_action -> { check_auth('eSignature') }
-  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 34, 'eSignature') }
-
-  def create
-    signers = {
-      signerEmail1: request['signerEmail1'],
-      signerName1: request['signerName1'],
-
-      signerEmailNotChecked: request['signerEmailNotChecked'],
-      signerNameNotChecked: request['signerNameNotChecked'],
-
-      signerEmailChecked: request['signerEmailChecked'],
-      signerNameChecked: request['signerNameChecked']
-    }
-
-    args = {
-      accountId: session['ds_account_id'],
-      basePath: session['ds_base_path'],
-      accessToken: session['ds_access_token']
-    }
-
-    results = ESign::Eg034UseConditionalRecipientsService.new(args, signers).worker
-    @envelop_id = results.to_hash[:envelopeId].to_s
-    render 'e_sign/eeg034_use_conditional_recipients/return'
-  rescue DocuSign_eSign::ApiError => e
-    error = JSON.parse e.response_body
-    @error_code = error['errorCode']
-    if error['errorCode']['WORKFLOW_UPDATE_RECIPIENTROUTING_NOT_ALLOWED']
-      @error_message = @example['CustomErrorTexts'][0]['ErrorMessage']
-      @error_information = @example['CustomErrorTexts'][0]['ErrorMessage']
-    else
-      @error_message = error['message']
-    end
-    render 'ds_common/error'
-  end
-
-  def get
-    enableCFR = ESign::GetDataService.new(session[:ds_access_token], session[:ds_base_path]).cfr?(session[:ds_account_id])
-    if enableCFR == 'enabled'
-      session[:status_cfr] = 'enabled'
-      @title = 'Not CFR Part 11 compatible'
-      @error_information = @manifest['SupportingTexts']['CFRError']
-      render 'ds_common/error'
-    end
-    super
-  end
-end
+# frozen_string_literal: true
+
+class ESign::Eeg034UseConditionalRecipientsController < EgController
+  before_action -> { check_auth('eSignature') }
+  before_action -> { @example = Utils::ManifestUtils.new.get_example(@manifest, 34, 'eSignature') }
+
+  def create
+    signers = {
+      signerEmail1: param_gsub(params['signerEmail1']),
+      signerName1: param_gsub(params['signerName1']),
+
+      signerEmailNotChecked: param_gsub(params['signerEmailNotChecked']),
+      signerNameNotChecked: param_gsub(params['signerNameNotChecked']),
+
+      signerEmailChecked: param_gsub(params['signerEmailChecked']),
+      signerNameChecked: param_gsub(params['signerNameChecked'])
+    }
+
+    args = {
+      accountId: session['ds_account_id'],
+      basePath: session['ds_base_path'],
+      accessToken: session['ds_access_token']
+    }
+
+    results = ESign::Eg034UseConditionalRecipientsService.new(args, signers).worker
+    @envelop_id = results.to_hash[:envelopeId].to_s
+    render 'e_sign/eeg034_use_conditional_recipients/return'
+  rescue DocuSign_eSign::ApiError => e
+    error = JSON.parse e.response_body
+    @error_code = error['errorCode']
+    if error['errorCode']['WORKFLOW_UPDATE_RECIPIENTROUTING_NOT_ALLOWED']
+      @error_message = @example['CustomErrorTexts'][0]['ErrorMessage']
+      @error_information = @example['CustomErrorTexts'][0]['ErrorMessage']
+    else
+      @error_message = error['message']
+    end
+    render 'ds_common/error'
+  end
+
+  def get
+    enableCFR = ESign::GetDataService.new(session[:ds_access_token], session[:ds_base_path]).cfr?(session[:ds_account_id])
+    if enableCFR == 'enabled'
+      session[:status_cfr] = 'enabled'
+      @title = 'Not CFR Part 11 compatible'
+      @error_information = @manifest['SupportingTexts']['CFRError']
+      render 'ds_common/error'
+    end
+    super
+  end
+end

app/controllers/session_controller.rb

@@ -1,83 +1,89 @@
-# frozen_string_literal: true
-
-class SessionController < ApplicationController
-  # GET /auth/:provider/callback
-  def create
-    redirect_url = if session[:eg]
-                     "/#{session[:eg]}"
-                   else
-                     root_path
-                   end
-
-    # reset the session
-    internal_destroy
-
-    Rails.logger.debug "\n==> Docusign callback Authentication response:\n#{auth_hash.to_yaml}\n"
-    Rails.logger.info "==> Login: New token for admin user which will expire at: #{Time.at(auth_hash.credentials['expires_at'])}"
-    store_auth_hash_from_docusign_callback
-    redirect_to redirect_url
-  end
-
-  # GET /ds/logout
-  def destroy
-    internal_destroy
-    redirect_to root_path
-  end
-
-  # def switch_api
-  #   internal_destroy
-  # end
-
-  # GET /auth/failure
-  def omniauth_failure
-    error_msg = "OmniAuth authentication failure message: #{params[:message]} for strategy: #{params[:strategy]} and HTTP_REFERER: #{params[:origin]}"
-    Rails.logger.warn "\n==> #{error_msg}"
-    flash[:notice] = error_msg
-    redirect_to root_path
-  end
-
-  def show
-    Rails.logger.debug "==> Session:\n#{session.to_h.to_yaml}"
-    render json: session.to_json
-  end
-
-  protected
-
-  def internal_destroy
-    session.delete :ds_expires_at
-    session.delete :ds_user_name
-    session.delete :ds_access_token
-    session.delete :ds_account_id
-    session.delete :ds_account_name
-    session.delete :ds_base_path
-    session.delete 'omniauth.state'
-    session.delete 'omniauth.params'
-    session.delete 'omniauth.origin'
-    session.delete :envelope_id
-    session.delete :envelope_documents
-    session.delete :template_id
-    session.delete :eg
-    session.delete :manifest
-    session.delete :status_cfr
-    session.delete :is_workflow_published
-  end
-
-  def store_auth_hash_from_docusign_callback
-    session[:ds_expires_at]   = auth_hash.credentials['expires_at']
-    session[:ds_user_name]    = auth_hash.info.name
-    session[:ds_access_token] = auth_hash.credentials.token
-    session[:ds_account_id]   = auth_hash.extra.account_id
-    session[:ds_account_name] = auth_hash.extra.account_name
-    session[:ds_base_path]    = auth_hash.extra.base_uri
-  end
-
-  # returns hash with key structure of:
-  # - provider
-  # - uid
-  # - info: [name, email, first_name, last_name]
-  # - credentials: [token, refresh_token, expires_at, expires]
-  # - extra: [sub, account_id, account_name, base_uri]
-  def auth_hash
-    @auth_hash ||= request.env['omniauth.auth']
-  end
-end
+# frozen_string_literal: true
+
+class SessionController < ApplicationController
+  # GET /auth/:provider/callback
+  def create
+    redirect_url = if session[:eg]
+                     "/#{session[:eg]}"
+                   else
+                     root_path
+                   end
+
+    # reset the session
+    internal_destroy
+
+    Rails.logger.debug "\n==> Docusign callback Authentication response:\n#{auth_hash.to_yaml}\n"
+    Rails.logger.info "==> Login: New token for admin user which will expire at: #{Time.at(auth_hash.credentials['expires_at'])}"
+    store_auth_hash_from_docusign_callback
+    redirect_to redirect_url
+  end
+
+  # GET /ds/logout
+  def destroy
+    internal_destroy
+    redirect_to root_path
+  end
+
+  # def switch_api
+  #   internal_destroy
+  # end
+
+  # GET /auth/failure
+  def omniauth_failure
+    unless session[:pkce_failed]
+      Rails.logger.warn "PKCE Auth failed \n"
+      session[:pkce_failed] = true
+      return redirect_to '/auth/docusign'
+    end
+
+    error_msg = "OmniAuth authentication failure message: #{params[:message]} for strategy: #{params[:strategy]} and HTTP_REFERER: #{params[:origin]}"
+    Rails.logger.warn "\n==> #{error_msg}"
+    flash[:notice] = error_msg
+    redirect_to root_path
+  end
+
+  def show
+    Rails.logger.debug "==> Session:\n#{session.to_h.to_yaml}"
+    render json: session.to_json
+  end
+
+  protected
+
+  def internal_destroy
+    session.delete :ds_expires_at
+    session.delete :ds_user_name
+    session.delete :ds_access_token
+    session.delete :ds_account_id
+    session.delete :ds_account_name
+    session.delete :ds_base_path
+    session.delete 'omniauth.state'
+    session.delete 'omniauth.params'
+    session.delete 'omniauth.origin'
+    session.delete :envelope_id
+    session.delete :envelope_documents
+    session.delete :template_id
+    session.delete :eg
+    session.delete :manifest
+    session.delete :status_cfr
+    session.delete :is_workflow_published
+  end
+
+  def store_auth_hash_from_docusign_callback
+    session[:ds_expires_at]   = auth_hash.credentials['expires_at']
+    session[:ds_user_name]    = auth_hash.info.name
+    session[:ds_access_token] = auth_hash.credentials.token
+    session[:ds_account_id]   = auth_hash.extra.account_id
+    session[:ds_account_name] = auth_hash.extra.account_name
+    session[:ds_base_path]    = auth_hash.extra.base_uri
+  end
+
+  # returns hash with key structure of:
+  # - provider
+  # - uid
+  # - info: [name, email, first_name, last_name]
+  # - credentials: [token, refresh_token, expires_at, expires]
+  # - extra: [sub, account_id, account_name, base_uri]
+  def auth_hash
+    @auth_hash ||= request.env['omniauth.auth']
+  end
+end

config/initializers/omniauth.rb

@@ -1,57 +1,61 @@
-# frozen_string_literal: true
-
-require 'docusign'
-
-# Defaults to STDOUT: https://github.com/omniauth/omniauth#logging
-# Logs entries like:
-# (docusign) Setup endpoint detected, running now.
-# (docusign) Request phase initiated.
-# (docusign) Callback phase initiated.
-OmniAuth.config.logger = Rails.logger
-
-# https://github.com/omniauth/omniauth/wiki/FAQ#omniauthfailureendpoint-does-not-redirect-in-development-mode
-# otherwise a callback exception like the following will not get caught:
-# OmniAuth::Strategies::OAuth2::CallbackError (access_denied)
-# GET "/auth/docusign/callback?error=access_denied&error_message=The%20user%20did%20not%20consent%20to%20connecting%20the%20application.&state=
-# OmniAuth.config.failure_raise_out_environments = [] # defaults to: ['development']
-
-OmniAuth.config.allowed_request_methods = %i[post get]
-
-config = Rails.application.config
-config.middleware.use OmniAuth::Builder do
-  # OAuth2 login request configuration
-  # OAuth2 login response callback message configuration is in OmniAuth::Strategies::Docusign in lib/docusign.rb
-  provider :docusign, config.integration_key, config.integration_secret, setup: lambda { |env|
-    strategy = env['omniauth.strategy']
-
-    # params = strategy.request.params
-    # examples_API = params['examples_API']
-    # strategy.request.params.delete('examples_API')
-
-    strategy.options[:client_options].site = config.app_url
-    strategy.options[:prompt] = 'login'
-    strategy.options[:oauth_base_uri] = config.authorization_server
-    strategy.options[:target_account_id] = config.target_account_id
-    strategy.options[:allow_silent_authentication] = config.allow_silent_authentication
-    strategy.options[:client_options].authorize_url = "#{strategy.options[:oauth_base_uri]}/oauth/auth"
-    strategy.options[:client_options].user_info_url = "#{strategy.options[:oauth_base_uri]}/oauth/userinfo"
-    strategy.options[:client_options].token_url = "#{strategy.options[:oauth_base_uri]}/oauth/token"
-    strategy.options[:authorize_params].prompt = strategy.options.prompt unless strategy.options[:allow_silent_authentication]
-    session = strategy.session
-
-    case session[:api]
-    when 'eSignature'
-      strategy.options[:authorize_params].scope = 'signature'
-    when 'Rooms'
-      strategy.options[:authorize_params].scope = 'signature dtr.rooms.read dtr.rooms.write dtr.documents.read dtr.documents.write dtr.profile.read dtr.profile.write dtr.company.read dtr.company.write room_forms'
-    when 'Click'
-      strategy.options[:authorize_params].scope = 'signature click.manage click.send'
-    when 'Admin'
-      strategy.options[:authorize_params].scope = 'signature organization_read group_read permission_read user_read user_write account_read domain_read identity_provider_read user_data_redact asset_group_account_read asset_group_account_clone_write asset_group_account_clone_read organization_sub_account_write organization_sub_account_read'
-    when 'WebForms'
-      strategy.options[:authorize_params].scope = 'signature webforms_read webforms_instance_read webforms_instance_write'
-    when 'Maestro'
-      strategy.options[:authorize_params].scope = 'signature aow_manage'
-    end
-  }
-end
+# frozen_string_literal: true
+
+require 'docusign'
+
+# Defaults to STDOUT: https://github.com/omniauth/omniauth#logging
+# Logs entries like:
+# (docusign) Setup endpoint detected, running now.
+# (docusign) Request phase initiated.
+# (docusign) Callback phase initiated.
+OmniAuth.config.logger = Rails.logger
+
+# https://github.com/omniauth/omniauth/wiki/FAQ#omniauthfailureendpoint-does-not-redirect-in-development-mode
+# otherwise a callback exception like the following will not get caught:
+# OmniAuth::Strategies::OAuth2::CallbackError (access_denied)
+# GET "/auth/docusign/callback?error=access_denied&error_message=The%20user%20did%20not%20consent%20to%20connecting%20the%20application.&state=
+# OmniAuth.config.failure_raise_out_environments = [] # defaults to: ['development']
+
+OmniAuth.config.allowed_request_methods = %i[post get]
+
+config = Rails.application.config
+config.middleware.use OmniAuth::Builder do
+  # OAuth2 login request configuration
+  # OAuth2 login response callback message configuration is in OmniAuth::Strategies::Docusign in lib/docusign.rb
+  provider :docusign, config.integration_key, config.integration_secret, setup: lambda { |env|
+    strategy = env['omniauth.strategy']
+
+    # params = strategy.request.params
+    # examples_API = params['examples_API']
+    # strategy.request.params.delete('examples_API')
+
+    strategy.options[:client_options].site = config.app_url
+    strategy.options[:prompt] = 'login'
+    strategy.options[:oauth_base_uri] = config.authorization_server
+    strategy.options[:target_account_id] = config.target_account_id
+    strategy.options[:allow_silent_authentication] = config.allow_silent_authentication
+    strategy.options[:client_options].authorize_url = "#{strategy.options[:oauth_base_uri]}/oauth/auth"
+    strategy.options[:client_options].user_info_url = "#{strategy.options[:oauth_base_uri]}/oauth/userinfo"
+    strategy.options[:client_options].token_url = "#{strategy.options[:oauth_base_uri]}/oauth/token"
+    strategy.options[:authorize_params].prompt = strategy.options.prompt unless strategy.options[:allow_silent_authentication]
+    session = strategy.session
+
+    unless session[:pkce_failed]
+      strategy.options[:pkce] = true
+    end
+
+    case session[:api]
+    when 'eSignature'
+      strategy.options[:authorize_params].scope = 'signature'
+    when 'Rooms'
+      strategy.options[:authorize_params].scope = 'signature dtr.rooms.read dtr.rooms.write dtr.documents.read dtr.documents.write dtr.profile.read dtr.profile.write dtr.company.read dtr.company.write room_forms'
+    when 'Click'
+      strategy.options[:authorize_params].scope = 'signature click.manage click.send'
+    when 'Admin'
+      strategy.options[:authorize_params].scope = 'signature organization_read group_read permission_read user_read user_write account_read domain_read identity_provider_read user_data_redact asset_group_account_read asset_group_account_clone_write asset_group_account_clone_read organization_sub_account_write organization_sub_account_read'
+    when 'WebForms'
+      strategy.options[:authorize_params].scope = 'signature webforms_read webforms_instance_read webforms_instance_write'
+    when 'Maestro'
+      strategy.options[:authorize_params].scope = 'signature aow_manage'
+    end
+  }
+end

quick_acg/app/controllers/ds_common_controller.rb

@@ -12,6 +12,8 @@ def handle_redirects
       session[:quickstarted] = true
       redirect_to '/auth/docusign'
     else
+      return redirect_to '/auth/docusign' if session[:ds_access_token].nil? || session[:ds_base_path].nil?
+
       enableCFR = ESign::GetDataService.new(session[:ds_access_token], session[:ds_base_path]).cfr?(session[:ds_account_id])
       if enableCFR == 'enabled'
         session[:status_cfr] = 'enabled'

quick_acg/config/initializers/omniauth.rb

@@ -1,51 +1,55 @@
-# frozen_string_literal: true
-
-require 'docusign'
-
-# Defaults to STDOUT: https://github.com/omniauth/omniauth#logging
-# Logs entries like:
-# (docusign) Setup endpoint detected, running now.
-# (docusign) Request phase initiated.
-# (docusign) Callback phase initiated.
-OmniAuth.config.logger = Rails.logger
-
-# https://github.com/omniauth/omniauth/wiki/FAQ#omniauthfailureendpoint-does-not-redirect-in-development-mode
-# otherwise a callback exception like the following will not get caught:
-# OmniAuth::Strategies::OAuth2::CallbackError (access_denied)
-# GET "/auth/docusign/callback?error=access_denied&error_message=The%20user%20did%20not%20consent%20to%20connecting%20the%20application.&state=
-# OmniAuth.config.failure_raise_out_environments = [] # defaults to: ['development']
-
-OmniAuth.config.allowed_request_methods = %i[post get]
-
-config = Rails.application.config
-config.middleware.use OmniAuth::Builder do
-  # OAuth2 login request configuration
-  # OAuth2 login response callback message configuration is in OmniAuth::Strategies::Docusign in lib/docusign.rb
-  provider :docusign, config.integration_key, config.integration_secret, setup: lambda { |env|
-    strategy = env['omniauth.strategy']
-
-    # params = strategy.request.params
-    # examples_API = params['examples_API']
-    # strategy.request.params.delete('examples_API')
-
-    strategy.options[:client_options].site = config.app_url
-    strategy.options[:prompt] = 'login'
-    strategy.options[:oauth_base_uri] = config.authorization_server
-    strategy.options[:target_account_id] = config.target_account_id
-    strategy.options[:allow_silent_authentication] = config.allow_silent_authentication
-    strategy.options[:client_options].authorize_url = "#{strategy.options[:oauth_base_uri]}/oauth/auth"
-    strategy.options[:client_options].user_info_url = "#{strategy.options[:oauth_base_uri]}/oauth/userinfo"
-    strategy.options[:client_options].token_url = "#{strategy.options[:oauth_base_uri]}/oauth/token"
-    strategy.options[:authorize_params].prompt = strategy.options.prompt unless strategy.options[:allow_silent_authentication]
-    session = strategy.session
-
-    case session[:api]
-    when 'Rooms'
-      strategy.options[:authorize_params].scope = 'signature dtr.rooms.read dtr.rooms.write dtr.documents.read dtr.documents.write dtr.profile.read dtr.profile.write dtr.company.read dtr.company.write room_forms'
-    when 'Click'
-      strategy.options[:authorize_params].scope = 'signature click.manage click.send'
-    when 'Admin'
-      strategy.options[:authorize_params].scope = 'signature organization_read group_read permission_read user_read user_write account_read domain_read identity_provider_read user_data_redact asset_group_account_read asset_group_account_clone_write asset_group_account_clone_read'
-    end
-  }
-end
+# frozen_string_literal: true
+
+require 'docusign'
+
+# Defaults to STDOUT: https://github.com/omniauth/omniauth#logging
+# Logs entries like:
+# (docusign) Setup endpoint detected, running now.
+# (docusign) Request phase initiated.
+# (docusign) Callback phase initiated.
+OmniAuth.config.logger = Rails.logger
+
+# https://github.com/omniauth/omniauth/wiki/FAQ#omniauthfailureendpoint-does-not-redirect-in-development-mode
+# otherwise a callback exception like the following will not get caught:
+# OmniAuth::Strategies::OAuth2::CallbackError (access_denied)
+# GET "/auth/docusign/callback?error=access_denied&error_message=The%20user%20did%20not%20consent%20to%20connecting%20the%20application.&state=
+OmniAuth.config.failure_raise_out_environments = [] # defaults to: ['development']
+
+OmniAuth.config.allowed_request_methods = %i[post get]
+
+config = Rails.application.config
+config.middleware.use OmniAuth::Builder do
+  # OAuth2 login request configuration
+  # OAuth2 login response callback message configuration is in OmniAuth::Strategies::Docusign in lib/docusign.rb
+  provider :docusign, config.integration_key, config.integration_secret, setup: lambda { |env|
+    strategy = env['omniauth.strategy']
+
+    # params = strategy.request.params
+    # examples_API = params['examples_API']
+    # strategy.request.params.delete('examples_API')
+
+    strategy.options[:client_options].site = config.app_url
+    strategy.options[:prompt] = 'login'
+    strategy.options[:oauth_base_uri] = config.authorization_server
+    strategy.options[:target_account_id] = config.target_account_id
+    strategy.options[:allow_silent_authentication] = config.allow_silent_authentication
+    strategy.options[:client_options].authorize_url = "#{strategy.options[:oauth_base_uri]}/oauth/auth"
+    strategy.options[:client_options].user_info_url = "#{strategy.options[:oauth_base_uri]}/oauth/userinfo"
+    strategy.options[:client_options].token_url = "#{strategy.options[:oauth_base_uri]}/oauth/token"
+    strategy.options[:authorize_params].prompt = strategy.options.prompt unless strategy.options[:allow_silent_authentication]
+    session = strategy.session
+
+    unless session[:pkce_failed]
+      strategy.options[:pkce] = true
+    end
+
+    case session[:api]
+    when 'Rooms'
+      strategy.options[:authorize_params].scope = 'signature dtr.rooms.read dtr.rooms.write dtr.documents.read dtr.documents.write dtr.profile.read dtr.profile.write dtr.company.read dtr.company.write room_forms'
+    when 'Click'
+      strategy.options[:authorize_params].scope = 'signature click.manage click.send'
+    when 'Admin'
+      strategy.options[:authorize_params].scope = 'signature organization_read group_read permission_read user_read user_write account_read domain_read identity_provider_read user_data_redact asset_group_account_read asset_group_account_clone_write asset_group_account_clone_read'
+    end
+  }
+end

quick_acg/config/routes.rb

@@ -1,40 +1,43 @@
-require_relative '../../app/controllers/application_controller'
-require_relative '../../app/controllers/eg_controller'
-require_relative '../../app/controllers/session_controller'
-require_relative '../../app/services/api_creator'
-require_relative '../../app/controllers/eeg001_embedded_signing_controller'
-require_relative '../../app/services/eg001_embedded_signing_service'
-require_relative '../../app/services/utils'
-
-class ESign
-end
-
-require_relative '../../app/controllers/e_sign/eeg041_cfr_embedded_signing_controller'
-require_relative '../../app/services/e_sign/eg041_cfr_embedded_signing_service'
-require_relative '../../app/services/e_sign/get_data_service'
-
-Rails.application.routes.draw do
-  root 'ds_common#index'
-
-  get '/eeg001' => 'eeg001_embedded_signing#get'
-  post '/eeg001' => 'eeg001_embedded_signing#create'
-
-  scope module: 'e_sign' do
-    get 'eeg041' => 'eeg041_cfr_embedded_signing#get'
-    post 'eeg041' => 'eeg041_cfr_embedded_signing#create'
-  end
-  # Login starts with POST'ing to: /auth/docusign
-  # /auth/docusign is an internal route created by OmniAuth and the docusign strategy from: /lib/docusign.rb
-  # Should be POST, see: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
-  # get '/ds/login' => redirect('/auth/docusign')
-
-  # Handle OmniAuth OAuth2 login callback result that includes the AuthHash
-  get '/auth/:provider/callback', to: 'session#create'
-
-  get '/ds_common-return' => 'ds_common#index'
-
-  get '/ds/mustAuthenticate' => 'ds_common#ds_must_authenticate'
-  post '/ds/mustAuthenticate' => 'ds_common#ds_must_authenticate'
-
-  # For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html
-end
+require_relative '../../app/controllers/application_controller'
+require_relative '../../app/controllers/eg_controller'
+require_relative '../../app/controllers/session_controller'
+require_relative '../../app/services/api_creator'
+require_relative '../../app/controllers/eeg001_embedded_signing_controller'
+require_relative '../../app/services/eg001_embedded_signing_service'
+require_relative '../../app/services/utils'
+
+class ESign
+end
+
+require_relative '../../app/controllers/e_sign/eeg041_cfr_embedded_signing_controller'
+require_relative '../../app/services/e_sign/eg041_cfr_embedded_signing_service'
+require_relative '../../app/services/e_sign/get_data_service'
+
+Rails.application.routes.draw do
+  root 'ds_common#index'
+
+  get '/eeg001' => 'eeg001_embedded_signing#get'
+  post '/eeg001' => 'eeg001_embedded_signing#create'
+
+  scope module: 'e_sign' do
+    get 'eeg041' => 'eeg041_cfr_embedded_signing#get'
+    post 'eeg041' => 'eeg041_cfr_embedded_signing#create'
+  end
+  # Login starts with POST'ing to: /auth/docusign
+  # /auth/docusign is an internal route created by OmniAuth and the docusign strategy from: /lib/docusign.rb
+  # Should be POST, see: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
+  # get '/ds/login' => redirect('/auth/docusign')
+
+  # Handle OmniAuth OAuth2 login callback result that includes the AuthHash
+  get '/auth/:provider/callback', to: 'session#create'
+
+  # Handle OmniAuth OAuth2 login exceptions
+  get '/auth/failure', to: 'session#omniauth_failure'
+
+  get '/ds_common-return' => 'ds_common#index'
+
+  get '/ds/mustAuthenticate' => 'ds_common#ds_must_authenticate'
+  post '/ds/mustAuthenticate' => 'ds_common#ds_must_authenticate'
+
+  # For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html
+end