Replace Yus authentication with Swiyu OID4VP login

Users now authenticate by scanning a QR code with the swiyu Wallet app,
which presents a verifiable credential (SD-JWT) containing firstName,
lastName, and GLN. A Rack middleware intercepts /swiyu/* routes to handle
the verification flow. GLN-to-role mapping via etc/swiyu_roles.yml
preserves the existing permission system; unenrolled GLNs default to
PowerUser with unlimited queries. The query limit page now redirects
to the Swiyu login instead of showing PayPal registration forms.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: zdavatz

config.ru

@@ -86,6 +86,8 @@ begin # with a rescue
       reentrant: true
     use Clogger, logger: $stdout, reentrant: true
     use(Rack::Static, urls: ["/doc/"])
+    require "util/swiyu_middleware"
+    use ODDB::SwiyuMiddleware
     use Rack::ContentLength
     SBSM.warn "Starting Rack::Server with log_pattern #{ODDB.config.log_pattern}"
 

doc/resources/swiyu/login.html

@@ -0,0 +1,209 @@
+<!DOCTYPE html>
+<html lang="de">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>ODDB.org - Swiyu Login</title>
+  <style>
+    body {
+      font-family: Arial, Helvetica, sans-serif;
+      background: #f0f0f0;
+      margin: 0;
+      padding: 0;
+    }
+    .container {
+      max-width: 480px;
+      margin: 60px auto;
+      background: #fff;
+      border: 1px solid #ccc;
+      padding: 2em;
+      text-align: center;
+    }
+    h1 {
+      color: #003d73;
+      font-size: 1.4em;
+      margin-bottom: 0.5em;
+    }
+    p {
+      color: #333;
+      font-size: 0.95em;
+    }
+    #qrcode {
+      display: inline-block;
+      margin: 1em 0;
+    }
+    #qrcode canvas, #qrcode img {
+      margin: 0 auto;
+    }
+    #status {
+      margin: 1em 0;
+      font-size: 1.1em;
+      font-weight: bold;
+    }
+    .error { color: #c00; }
+    .success { color: #090; }
+    .pending { color: #666; }
+    #deeplink {
+      margin: 1em 0;
+    }
+    #deeplink a {
+      color: #003d73;
+      text-decoration: underline;
+    }
+    #retry-btn {
+      display: none;
+      margin: 1em auto;
+      padding: 0.6em 1.5em;
+      background: #003d73;
+      color: #fff;
+      border: none;
+      cursor: pointer;
+      font-size: 1em;
+    }
+    #retry-btn:hover {
+      background: #00507a;
+    }
+    .footer {
+      margin-top: 2em;
+      font-size: 0.8em;
+      color: #999;
+    }
+    .footer a { color: #003d73; }
+  </style>
+  <script src="/doc/resources/javascript/qrcode.js"></script>
+</head>
+<body>
+  <div class="container">
+    <h1>Login via Swiyu Wallet</h1>
+    <p>Scannen Sie den QR-Code mit Ihrer Swiyu Wallet App.</p>
+
+    <div id="qrcode"></div>
+    <div id="deeplink"></div>
+    <div id="status" class="pending">Initialisierung...</div>
+    <button id="retry-btn" onclick="startLogin()">Erneut versuchen</button>
+
+    <div class="footer">
+      <a href="/">Zur&uuml;ck zur Startseite</a>
+    </div>
+  </div>
+
+  <script>
+    var pollTimer = null;
+    var timeoutTimer = null;
+
+    function startLogin() {
+      var statusEl = document.getElementById('status');
+      var qrEl = document.getElementById('qrcode');
+      var deepEl = document.getElementById('deeplink');
+      var retryBtn = document.getElementById('retry-btn');
+
+      // Reset
+      qrEl.innerHTML = '';
+      deepEl.innerHTML = '';
+      retryBtn.style.display = 'none';
+      statusEl.textContent = 'Verifizierung wird erstellt...';
+      statusEl.className = 'pending';
+      if (pollTimer) clearInterval(pollTimer);
+      if (timeoutTimer) clearTimeout(timeoutTimer);
+
+      fetch('/swiyu/login')
+        .then(function(resp) { return resp.json(); })
+        .then(function(data) {
+          if (!data.id || !data.verification_deeplink) {
+            statusEl.textContent = 'Fehler beim Erstellen der Verifizierung.';
+            statusEl.className = 'error';
+            retryBtn.style.display = 'block';
+            return;
+          }
+
+          // Show QR code
+          new QRCode(qrEl, {
+            text: data.verification_deeplink,
+            width: 256,
+            height: 256,
+            colorDark: '#003d73',
+            colorLight: '#ffffff'
+          });
+
+          // Show mobile deeplink
+          var link = document.createElement('a');
+          link.href = data.verification_deeplink;
+          link.textContent = 'In Swiyu Wallet \u00f6ffnen';
+          deepEl.appendChild(link);
+
+          statusEl.textContent = 'Warte auf Wallet-Scan...';
+          statusEl.className = 'pending';
+
+          // Poll for status
+          var verificationId = data.id;
+          pollTimer = setInterval(function() {
+            fetch('/swiyu/status/' + verificationId)
+              .then(function(resp) { return resp.json(); })
+              .then(function(pollData) {
+                if (pollData.state === 'SUCCESS') {
+                  clearInterval(pollTimer);
+                  if (timeoutTimer) clearTimeout(timeoutTimer);
+                  statusEl.textContent = 'Verifiziert! Anmeldung...';
+                  statusEl.className = 'success';
+
+                  fetch('/swiyu/session', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ verification_id: verificationId })
+                  })
+                    .then(function(resp) { return resp.json(); })
+                    .then(function(sessionData) {
+                      if (sessionData.status === 'ok') {
+                        window.location.href = sessionData.redirect || '/';
+                      } else {
+                        statusEl.textContent = 'Anmeldung fehlgeschlagen: ' + (sessionData.message || 'Unbekannter Fehler');
+                        statusEl.className = 'error';
+                        retryBtn.style.display = 'block';
+                      }
+                    })
+                    .catch(function() {
+                      statusEl.textContent = 'Netzwerkfehler bei der Anmeldung.';
+                      statusEl.className = 'error';
+                      retryBtn.style.display = 'block';
+                    });
+                } else if (pollData.state === 'FAILED') {
+                  clearInterval(pollTimer);
+                  if (timeoutTimer) clearTimeout(timeoutTimer);
+                  statusEl.textContent = 'Verifizierung fehlgeschlagen. Bitte erneut versuchen.';
+                  statusEl.className = 'error';
+                  retryBtn.style.display = 'block';
+                } else if (pollData.state === 'EXPIRED') {
+                  clearInterval(pollTimer);
+                  if (timeoutTimer) clearTimeout(timeoutTimer);
+                  statusEl.textContent = 'Verifizierung abgelaufen. Bitte erneut versuchen.';
+                  statusEl.className = 'error';
+                  retryBtn.style.display = 'block';
+                }
+              })
+              .catch(function(e) {
+                console.error('Polling error:', e);
+              });
+          }, 2000);
+
+          // Timeout after 5 minutes
+          timeoutTimer = setTimeout(function() {
+            clearInterval(pollTimer);
+            if (statusEl.className === 'pending') {
+              statusEl.textContent = 'Zeitlimit \u00fcberschritten. Bitte erneut versuchen.';
+              statusEl.className = 'error';
+              retryBtn.style.display = 'block';
+            }
+          }, 300000);
+        })
+        .catch(function(err) {
+          statusEl.textContent = 'Netzwerkfehler: ' + err.message;
+          statusEl.className = 'error';
+          retryBtn.style.display = 'block';
+        });
+    }
+
+    // Start automatically
+    startLogin();
+  </script>
+</body>
+</html>

etc/swiyu_roles.yml

@@ -0,0 +1,20 @@
+# etc/swiyu_roles.yml
+# Maps GLN numbers to ODDB role keys and permissions.
+#
+# Role keys correspond to the existing permission system:
+#   org.oddb.RootUser, org.oddb.AdminUser, org.oddb.PowerUser,
+#   org.oddb.CompanyUser, org.oddb.PowerLinkUser
+#
+# "permissions" lists fine-grained action/key pairs checked by allowed?(action, key).
+# "association" links a user to an ODBA-persisted object (e.g., Company) by odba_id.
+
+accepted_issuer_did: "did:tdw:QmeA6Hpod7N85daNqWZD5w8jBCU6oaXcxxQFNZ6ox245ci:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:5b1672d3-2805-4752-b364-2f87013bc5c3"
+
+users:
+  # Example root user — replace GLN with actual values
+  # "7601000000001":
+  #   roles:
+  #     - org.oddb.RootUser
+  #   permissions:
+  #     - { action: login, key: org.oddb.RootUser }
+  #   association: null

src/config.rb

@@ -19,9 +19,7 @@ module ODDB
   MEDDATA_URI ||= "druby://127.0.0.1:10006"
   SWISSREG_URI ||= "druby://127.0.0.1:10007"
   READONLY_URI ||= "druby://127.0.0.1:10013"
-  YUS_URI ||= "drbssl://127.0.0.1:9997"
   MIGEL_URI ||= "druby://127.0.0.1:33000"
-  YUS_DOMAIN ||= "oddb.org"
 
   oddb_dir = ODDB::PROJECT_ROOT
   default_dir = File.expand_path("etc", oddb_dir)

src/custom/lookandfeelbase.rb

@@ -946,6 +946,9 @@ def google_analytics_token
         :location => "PLZ/Ort",
         :login => "Anmelden",
         :login_form => "Anmeldung",
+        :swiyu_login => "Anmeldung",
+        :swiyu_login_link => "Bitte melden Sie sich mit Ihrer Swiyu Wallet an, um ODDB.org uneingeschränkt zu nutzen. Bei Fragen: zdavatz at ywesee dot com.",
+        :swiyu_logout => "Abmelden",
         :login_welcome => "Willkommen bei oddb.org",
         :logo_file => "Logo",
         :logo_fr => "Logo Français",