navapbc · LeslieJAnderson · Apr 25, 2025 · Apr 28, 2025 · May 1, 2025 · May 1, 2025
diff --git a/app-rails/README.md b/app-rails/README.md
@@ -96,6 +96,15 @@ To run natively:
 1. `make start-native`
 1. Then visit http://localhost:3100
 
+#### Local Authentication
+
+You can circumvent typical login and log in using any email and password if you add
+```
+AUTH_ADAPTER=mock
+```
+
+to your .env
+
 #### IDE tips
 
 <details>

diff --git a/app-rails/app/adapters/auth/mock_adapter.rb b/app-rails/app/adapters/auth/mock_adapter.rb
@@ -9,6 +9,38 @@ def self.provider_name
     @@provider_name
   end
 
+  def initiate_auth(email, password)
+    if email.include?("unconfirmed")
+      raise Auth::Errors::UserNotConfirmed.new
+    elsif password == "wrong"
+      raise Auth::Errors::InvalidCredentials.new
+    elsif email.include?("mfa")
+      return {
+        "challenge_name": "SOFTWARE_TOKEN_MFA",
+        "session": "mock-session"
+      }
+    end
+
+    existing_user = User.find_by(email: email)
+
+    uid = if existing_user
+            existing_user.uid
+    else
+            @uid_generator.call
+    end
+
+    {
+      uid: uid,
+      provider: "mock",
+      token: generate_token(email)
+    }
+  end
+
+  def generate_token(email)
+    # Return a dummy token — apps expecting a token can grab this
+    JWT.encode({ user_id: email, exp: 24.hours.from_now.to_i }, "mock_secret_key")
+  end
+
   def create_account(email, password)
     if email.include?("UsernameExists")
       raise Auth::Errors::UsernameExists.new
@@ -22,6 +54,7 @@ def create_account(email, password)
   end
 
   def change_email(uid, new_email)
+    # No-op
   end
 
   def forgot_password(email)
@@ -40,24 +73,6 @@ def confirm_forgot_password(email, code, password)
     end
   end
 
-  def initiate_auth(email, password)
-    if email.include?("unconfirmed")
-      raise Auth::Errors::UserNotConfirmed.new
-    elsif password == "wrong"
-      raise Auth::Errors::InvalidCredentials.new
-    elsif email.include?("mfa")
-      return {
-        "challenge_name": "SOFTWARE_TOKEN_MFA",
-        "session": "mock-session"
-      }
-    end
-
-    {
-      uid: @uid_generator.call,
-      provider: "mock"
-    }
-  end
-
   def associate_software_token(access_token)
     "mock-secret"
   end
@@ -69,6 +84,7 @@ def verify_software_token(code, access_token)
   end
 
   def disable_software_token(uid)
+    # No-op
   end
 
   def respond_to_auth_challenge(code, challenge)
@@ -78,7 +94,8 @@ def respond_to_auth_challenge(code, challenge)
 
     {
       uid: @uid_generator.call,
-      provider: "mock"
+      provider: "mock",
+      token: generate_token("challenge-user@example.com")
     }
   end
 

diff --git a/app-rails/app/controllers/users/sessions_controller.rb b/app-rails/app/controllers/users/sessions_controller.rb
@@ -93,7 +93,7 @@ def auth_service
 
     def new_session_params
       # If :users_new_session_form is renamed, make sure to also update it in
-      # cognito_authenticatable.rb otherwise login will not work.
+      # auth_service_authenticatable.rb otherwise login will not work.
       params.require(:users_new_session_form).permit(:email, :password, :spam_trap)
     end
 

diff --git a/.../devise/models/cognito_authenticatable.rb → ...se/models/auth_service_authenticatable.rb b/.../devise/models/cognito_authenticatable.rb → ...se/models/auth_service_authenticatable.rb
@@ -1,8 +1,8 @@
-# This adds a :cognito_authenticatable accessor for use in the `devise` portion of a user model
+# This adds a :auth_service_authenticatable accessor for use in the `devise` portion of a user model
 # Heavily inspired by https://www.endpointdev.com/blog/2023/01/using-devise-for-authentication-without-database-stored-accounts/
 module Devise
   module Models
-    module CognitoAuthenticatable
+    module AuthServiceAuthenticatable
       extend ActiveSupport::Concern
 
       module ClassMethods

diff --git a/app-rails/app/models/user.rb b/app-rails/app/models/user.rb
@@ -1,5 +1,5 @@
 class User < ApplicationRecord
-  devise :cognito_authenticatable, :timeoutable
+  devise :auth_service_authenticatable, :timeoutable
   attr_accessor :access_token
 
   # == Enums ========================================================

diff --git a/app-rails/app/services/auth_service.rb b/app-rails/app/services/auth_service.rb
@@ -1,8 +1,25 @@
 # frozen_string_literal: true
 
 class AuthService
-  def initialize(auth_adapter = Auth::CognitoAdapter.new)
-    @auth_adapter = auth_adapter
+  def initialize(auth_adapter = nil)
+    @auth_adapter = auth_adapter || default_adapter
+  end
+
+  def default_adapter
+    auth_service = ENV["AUTH_ADAPTER"]
+
+    if Rails.env.test?
+      auth service = "mock"
+    end
+
+    case auth_service
+    when "cognito"
+      Auth::CognitoAdapter.new
+    when "mock"
+      Auth::MockAdapter.new
+    else
+      raise "Unsupported AUTH_SERVICE: #{auth_service}"
+    end
   end
 
   # Send a confirmation code that's required to change the user's password

diff --git a/app-rails/config/initializers/devise.rb b/app-rails/config/initializers/devise.rb
@@ -4,7 +4,7 @@
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
   # ==> Support AWS Cognito login
-  Devise.add_module :cognito_authenticatable, controller: :sessions, route: :session
+  Devise.add_module :auth_service_authenticatable, controller: :sessions, route: :session
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

diff --git a/app-rails/local.env.example b/app-rails/local.env.example
@@ -33,6 +33,7 @@ AWS_DEFAULT_REGION=<FILL ME IN>
 COGNITO_USER_POOL_ID=<FILL ME IN>
 COGNITO_CLIENT_ID=<FILL ME IN>
 COGNITO_CLIENT_SECRET=<FILL ME IN>
+AUTH_ADAPTER=<FILL ME IN>
 
 ############################
 # Database