cartodb/app/controllers/signup_controller.rb

require_dependency 'account_creator'

require_relative '../../lib/user_account_creator'

class SignupController < ApplicationController
  include LoginHelper
  include AccountCreator

  layout 'frontend'

  ssl_required :signup, :create, :create_http_authentication, :create_http_authentication_in_progress

  skip_before_filter :http_header_authentication,
                     only: [:create_http_authentication, :create_http_authentication_in_progress]

  before_filter :load_organization, only: [:create_http_authentication, :create_http_authentication_in_progress]
  before_filter :check_organization_quotas, only: [:create_http_authentication]
  before_filter :load_mandatory_organization, only: [:signup, :create]
  before_filter :disable_if_ldap_configured
  before_filter :initialize_oauth_config

  def signup
    email = params[:email].present? ? params[:email] : nil
    @user = ::User.new(email: email)
  end

  def create
    account_creator = CartoDB::UserAccountCreator.new(Carto::UserCreation::CREATED_VIA_ORG_SIGNUP).
                      with_organization(@organization, viewer: invitation.try(:viewer)).
                      with_invitation_token(params[:invitation_token])

    raise "Organization doesn't allow user + password authentication" if user_password_signup? && !@organization.auth_username_password_enabled

    if params[:user]
      account_creator.with_username(params[:user][:username]) if params[:user][:username].present?
      account_creator.with_email(params[:user][:email]) if params[:user][:email].present?
      account_creator.with_password(params[:user][:password]) if params[:user][:password].present?
    end

    oauth_config = oauth_provider
    if oauth_config
      api = oauth_config.class.api_class.new(oauth_config, params[:oauth_access_token])
      @oauth_fields = api.hidden_fields
      account_creator.with_oauth_api(api)
    end

    if account_creator.valid?
      trigger_account_creation(account_creator)
      render 'shared/signup_confirmation'
    else
      @user = account_creator.user
      errors = account_creator.validation_errors
      CartoDB.notify_debug('User not valid at signup', { errors: errors } )
      if errors['organization'] && !errors[:organization].empty?
        @signup_source = 'Organization'
        @signup_errors = errors
        render 'shared/signup_issue'
      else
        if google_signup? && existing_user(@user)
          flash.now[:error] = "User already registered, go to login"
        elsif @user.errors.empty?
          # No need for additional errors if there're field errors
          flash.now[:error] = 'User not valid'
        end
        render action: 'signup', status: @user.errors.empty? ? 200 : 422
      end
    end

  rescue => e
    @user ||= ::User.new
    CartoDB.notify_exception(e, { new_user: account_creator.user.inspect })
    flash.now[:error] = e.message
    render action: 'signup', status: 400
  end

  def create_http_authentication
    authenticator = Carto::HttpHeaderAuthentication.new
    render_404 and return false unless authenticator.autocreation_enabled?
    render_500 and return false unless authenticator.autocreation_valid?(request)
    render_403 and return false unless authenticator.valid?(request)

    account_creator = CartoDB::UserAccountCreator.
      new(Carto::UserCreation::CREATED_VIA_HTTP_AUTENTICATION).
      with_email_only(authenticator.email(request))

    account_creator = account_creator.with_organization(@organization) if @organization

    if account_creator.valid?
      trigger_account_creation(account_creator)

      render 'shared/signup_confirmation'
    else
      render_500
    end
  rescue => e
    CartoDB.report_exception(e, "Creating user with HTTP authentication", new_user: account_creator.user.inspect)
    flash.now[:error] = e.message
    render_500
  end

  def create_http_authentication_in_progress
    authenticator = Carto::HttpHeaderAuthentication.new
    if !authenticator.creation_in_progress?(request)
      redirect_to CartoDB.url(self, 'login')
    else
      render 'shared/signup_confirmation'
    end
  end

  private

  def oauth_provider
    case params[:oauth_provider]
    when 'google'
      @google_config
    when 'github'
      @github_config
    end
  end

  def existing_user(user)
    !Carto::User.find_by_username_and_email(user.username, user.email).nil?
  end

  def google_access_token_from_params
    [params.fetch(:google_access_token, nil), params.fetch(:google_signup_access_token, nil)].uniq.compact.first
  end

  def google_signup?
    google_access_token_from_params.present?
  end

  def user_password_signup?
    params && params['user'] && params['user']['username'].present? && params['user']['email'].present? && params['user']['password'].present?
  end

  def initialize_oauth_config
    @oauth_configs = [google_config, github_config].compact
  end

  def google_config
    unless @organization && !@organization.auth_google_enabled
      @google_config = Carto::Oauth::Google::Config.instance(form_authenticity_token, google_oauth_url,
                                                             invitation_token: params[:invitation_token],
                                                             organization_name: @organization.try(:name))
    end
  end

  def github_config
    unless @organization && !@organization.auth_github_enabled
      @github_config = Carto::Oauth::Github::Config.instance(form_authenticity_token, github_url,
                                                             invitation_token: params[:invitation_token],
                                                             organization_name: @organization.try(:name))
    end
  end

  def load_organization
    if CartoDB.subdomainless_urls?
      subdomain = request.host.to_s.gsub(".#{CartoDB.session_domain}", '')
      if subdomain == CartoDB.session_domain
        subdomain = params[:user_domain]
      end
    else
      subdomain = CartoDB.subdomain_from_request(request)
    end

    if subdomain && subdomain != CartoDB.session_domain
      @organization = ::Organization.where(name: subdomain).first
    end
  end

  def check_organization_quotas
    if @organization
      check_signup_errors = Sequel::Model::Errors.new
      user = ::User.new_with_organization(@organization, viewer: @invitation.try(:viewer))
      @organization.validate_for_signup(check_signup_errors, user)
      @signup_source = 'Organization'
      @signup_errors = check_signup_errors
      render 'shared/signup_issue' and return false if check_signup_errors.length > 0
    end
  end

  def load_mandatory_organization
    load_organization
    return render_404 unless @organization && (@organization.signup_page_enabled || invitation)
    check_organization_quotas
  end

  def disable_if_ldap_configured
    render_404 and return false if Carto::Ldap::Manager.new.configuration_present?
  end

  def invitation
    return @invitation if @invitation
    email = (params[:user] && params[:user][:email]) || params[:email]
    token = params[:invitation_token]
    return unless email && token
    invitations = Carto::Invitation.query_with_valid_email(email).where(organization_id: @organization.id).all
    @invitation = invitations.find { |i| i.token(email) == token }
  end
end