booth 0.0.1 → 0.0.2

data/lib/booth/requests/storages/login.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     module Storages
@@ -21,20 +23,22 @@ module Booth
         def credential_for_username
           return @credential_for_username if defined?(@credential_for_username)
 
-          @credential_for_username = ::Booth::Models::Credential.find_by(id: session[:credential_for_username])
+          @credential_for_username = ::Booth::Models::Credential.find_by(
+            scope:,
+            id: session[:credential_for_username],
+          )
         end
 
-        def contest_for_username
-          return @contest_for_username if defined?(@contest_for_username)
+        # Deserializes a Remote record from cookie.
+        #
+        def remote_for_username
+          return @remote_for_username if defined?(@remote_for_username)
 
-          @contest_for_username = ::Booth::Models::Contest.find_by(id: session[:contest_for_username])
-        end
+          log { "Deserializing Remote from Cookie in scope #{scope.inspect}" }
 
-        def password_authenticated_credential
-          return @password_authenticated_credential if defined?(@password_authenticated_credential)
-
-          @password_authenticated_credential = ::Booth::Models::Credential.find_by(
-            id: session[:password_authenticated_credential]
+          @remote_for_username = ::Booth::Models::Remote.joins(:credential).find_by(
+            credential: { scope: },
+            id: session[:remote_for_username],
           )
         end
 
@@ -55,36 +59,38 @@ module Booth
         end
 
         def credential_for_username=(new_credential)
-          debug { "Persisting credential for username in browser session for scope #{scope.inspect}" }
-          session[:credential_for_username] = new_credential.id
-          @credential_for_username = nil
-        end
+          log { "Persisting credential for username in browser session for scope #{scope.inspect}" }
 
-        def contest_for_username=(new_contest)
-          debug { "Persisting contest for username in browser session for scope #{scope.inspect}" }
-          session[:contest_for_username] = new_contest.id
-          @contest_for_username = nil
-        end
+          # I think this could happen if the end-user has multiple browser windows open
+          # and registers for different companies, finding race conditions.
+          raise "Scope mismatch #{new_credential.scope} != #{scope}" if new_credential.scope.to_sym != scope.to_sym
 
-        def reset_credential_for_username
-          debug { "Resetting credential in browser session for scope #{scope.inspect}" }
-          session.delete(:credential_for_username)
+          session[:credential_for_username] = new_credential.id
           @credential_for_username = nil
         end
 
-        def password_authenticated_credential=(new_credential)
-          debug { "Persisting password authenticated credential in browser session for scope #{scope.inspect}" }
-          session[:password_authenticated_credential] = new_credential.id
-          @password_authenticated_credential = nil
+        # Serializes a Remote record in the cookie.
+        #
+        def remote_for_username=(new_remote)
+          log { "Persisting remote for username in browser session for scope #{scope.inspect}" }
+          session[:remote_for_username] = new_remote.id
+          @remote_for_username = nil
         end
 
+        # def reset_credential_for_username
+        #   log { "Resetting credential in browser session for scope #{scope.inspect}" }
+        #   session.delete(:credential_for_username)
+        #   @credential_for_username = nil
+        # end
+
         def webauthn_challenge=(new_challenge)
           if new_challenge
-            debug do
-              "Persisting webauth challenge #{new_challenge.inspect} in browser session for scope #{scope.inspect}"
+            log do
+              "Persisting webauth challenge #{new_challenge.inspect} in browser " \
+                "session for scope #{scope.inspect}"
             end
           else
-            debug { "Removing webauth challenge from browser session for scope #{scope.inspect}" }
+            log { "Removing webauth challenge from browser session for scope #{scope.inspect}" }
           end
           session[:webauthn_challenge] = new_challenge.presence
         end

data/lib/booth/requests/storages/registration.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     module Storages

data/lib/booth/requests/storages/webauth.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     module Storages
@@ -26,6 +28,7 @@ module Booth
         # -------
 
         def authenticator_id=(new_authenticator_id)
+          @authenticator = nil
           session[:authenticator_id] = new_authenticator_id
         end
 

data/lib/booth/requests/sudo.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     class Sudo
@@ -8,59 +10,23 @@ module Booth
         @request = request
       end
 
-      def mode
-        request.authentication.mode.to_sym
-      end
-
       def lifespan
         ::Booth.config.interaction_timeout
       end
 
       # Guards
 
-      def guard_with_password
-        raise unless block_given?
-        return if password?
-
-        debug { 'You need password sudo' }
-        public_message = I18n.t('booth.password_sudo_timeout', lifespan_minutes: (lifespan / 60))
-        yield Tron.success(:password_sudo_needed, step: :sudo, public_message:)
-      end
-
-      def guard_with_otp
-        raise unless block_given?
-        return if otp?
-
-        debug { 'You need OTP sudo' }
-        public_message = I18n.t('booth.otp_sudo_timeout', lifespan_minutes: (lifespan / 60))
-        yield Tron.success(:otp_sudo_needed, step: :sudo, public_message:)
-      end
-
       def guard_with_webauth
         raise unless block_given?
         return if webauth?
 
-        debug { 'You need Webauth sudo' }
+        log { 'You need Webauth sudo' }
         public_message = I18n.t('booth.webauth_sudo_timeout', lifespan_minutes: (lifespan / 60))
         yield Tron.success(:webauth_sudo_needed, step: :sudo, public_message:)
       end
 
       # Getters
 
-      def password?
-        return true if session[:password].to_i > lifespan.ago.to_i
-
-        session[:password] = nil
-        false
-      end
-
-      def otp?
-        return true if session[:otp].to_i > lifespan.ago.to_i
-
-        session[:otp] = nil
-        false
-      end
-
       def webauth?
         return true if session[:webauth].to_i > lifespan.ago.to_i
 
@@ -74,26 +40,16 @@ module Booth
 
       # Setters
 
-      def password!
-        debug { "Remembering sudo via password has been granted in scope #{scope}" }
-        session[:password] = Time.current.to_i
-      end
-
-      def otp!
-        debug { "Remembering sudo via OTP has been granted in scope #{scope}" }
-        session[:otp] = Time.current.to_i
-      end
-
       def webauth!
-        debug { "Remembering sudo via WebAuth has been granted in scope #{scope}" }
+        log { "Remembering sudo via WebAuth has been granted in scope #{scope}" }
         session[:webauth] = Time.current.to_i
       end
 
       def webauthn_challenge=(new_challenge)
         if new_challenge
-          debug { "Persisting webauth challenge #{new_challenge.inspect} in sudo session for scope #{scope.inspect}" }
+          log { "Persisting webauth challenge #{new_challenge.inspect} in sudo session for scope #{scope.inspect}" }
         else
-          debug { "Removing webauth challenge from sudo session for scope #{scope.inspect}" }
+          log { "Removing webauth challenge from sudo session for scope #{scope.inspect}" }
         end
         session[:webauthn_challenge] = new_challenge.presence
       end

data/lib/booth/routes/userland.rb

@@ -1,80 +1,34 @@
+# frozen_string_literal: true
+
 module Booth
   module Routes
+    # All Rails routes needed by Users.
     class Userland
-      include ::Booth::MethodObject
+      include Calls
 
-      option :response_path, default: -> {}
-      option :self_registration
-      option :self_recovery
+      option :skip_registration, default: -> { false }
 
       def call
-        result = [mandatory_routes]
-        result.push self_registration_routes if self_registration
-        result.push self_recovery_routes if self_recovery
-        result.join
-      end
-
-      private
-
-      def response_path_with_fallback
-        return ':response' if response_path.blank?
-
-        # Just to avoid potential syntax errors, we sanitize the variable little bit.
-        response_path.to_sym.to_s.inspect
-      end
-
-      # ---------
-      # Templates
-      # ---------
-
-      # There is probably no reason to avoid any of these routes.
-      def mandatory_routes
         <<-RUBY
-          # Registering credentials for the first time, such as Hardware keys.
-          resources :onboardings, only: %i[show update]
+          # Users creating their own accounts.
+          resource :registration, only: %i[new create]
 
-          # Login
+          # Logging in
           resource :login, only: %i[new create destroy]
-          resource :response, only: %i[show update], path: #{response_path_with_fallback}
+          resource :remote_login, only: %i[show update], path: #{I18n.t('booth.remote_login_path').to_sym.inspect} # e.g. `path: :fernlogin`
+
+          # Onboarding
+          resources :onboardings, only: %i[show update], path: :onboard
 
-          # Self-service portal
+          # Self-service Portal
           resources :sessions, only: %i[index show destroy] do
             delete :destroy_all_others, on: :collection
           end
-          resource :password, only: %i[show edit update destroy] do
-            collection do
-              get :remove
-              post :sudo
-            end
-          end
-          resource :otp, only: %i[show edit update destroy] do
-            post :sudo, on: :collection
-          end
           resources :webauths, only: %i[index new create destroy] do
             post :sudo, on: :collection
           end
         RUBY
       end
-
-      # If users create their own accounts, you will need these routes.
-      def self_registration_routes
-        <<-RUBY
-          resources :registrations, only: %i[new create]
-        RUBY
-      end
-
-      # If users can recover lost credentials (username/password) via email, you need these routes.
-      def self_recovery_routes
-        <<-RUBY
-          resources :recoveries, only: %i[new create] do
-            get :check_your_mail, on: :collection
-          end
-
-          resources :password_resets, only: %i[new create show update] do
-            get :check_your_mail, on: :collection
-          end
-        RUBY
-      end
     end
   end
 end

data/lib/booth/syntaxes/domain.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Booth
+  module Syntaxes
+    # Checks for a fully quantified domain name (FQDN).
+    class Domain
+      include Calls
+
+      param :input
+
+      # **Example:**
+      #
+      # ```ruby
+      # Booth::Syntaxes::Domain.call('example.com').valid_domain #=> 'example.com'
+      # Booth::Syntaxes::Domain.call('nonesense').valid_domain #=> 'nil'
+      # ```
+      #
+      # **Returns:**
+      #
+      # Tron `Data` object with
+      #
+      # - `#valid_domain` - +nil+ or the syntactically valid domain name as +String+.
+      #
+      def call
+        # Do we need to allow "localhost" in test env?
+        # Maybe it's simpler/safer to run tests against "example.localhost" instead.
+        return Tron.success(:valid_domain_syntax, valid_domain: input.to_s) if regexp.match(input)
+
+        Tron.failure(:invalid_domain_syntax, invalid_domain: input.to_s,
+                                             valid_domain: nil,
+                                             public_message:)
+      end
+
+      private
+
+      # RFC 1035
+      def regexp
+        /\A([a-z0-9]{1}[a-z0-9-]{,63}(?<!-)\.)+[a-z]{2,}\z/
+      end
+
+      def public_message
+        I18n.t('booth.invalid_domain', domain: input)
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/email.rb

@@ -1,13 +1,15 @@
+# frozen_string_literal: true
+
 module Booth
   module Syntaxes
     class Email
       include ::Booth::Logging
-      include ::Booth::MethodObject
+      include Calls
 
       param :input
 
       def call
-        debug { "Checking email #{input.inspect} for valid syntax..." }
+        log { "Checking email #{input.inspect} for valid syntax..." }
         check_blank.on_success { check_too_short }
                    .on_success { check_too_long }
                    .on_success { check_characters }
@@ -19,7 +21,7 @@ module Booth
       def check_blank
         return Tron.success :email_present if input.present?
 
-        debug { 'This email is blank.' }
+        log { 'This email is blank.' }
         Tron.failure :blank_email,
                      normalized_email: nil,
                      normalized_invalid_email: normalized_email,
@@ -29,7 +31,7 @@ module Booth
       def check_too_short
         return Tron.success :email_not_too_short if input.to_s.length >= min_length
 
-        debug { "This email is less than #{min_length} characters long." }
+        log { "This email is less than #{min_length} characters long." }
         Tron.failure :email_is_too_short,
                      normalized_email: nil,
                      normalized_invalid_email: normalized_email,
@@ -39,7 +41,7 @@ module Booth
       def check_too_long
         return Tron.success :email_not_too_long if input.to_s.length <= max_length
 
-        debug { "This email is more than #{max_length} characters long." }
+        log { "This email is more than #{max_length} characters long." }
         Tron.failure :email_is_too_long,
                      normalized_email: nil,
                      normalized_invalid_email: normalized_email,
@@ -49,7 +51,7 @@ module Booth
       def check_characters
         return Tron.success :all_characters_valid if input.to_s.length == normalized_email.length
 
-        debug { 'This email contains invalid characters' }
+        log { 'This email contains invalid characters' }
         Tron.failure :invalid_email_format,
                      normalized_email: nil,
                      normalized_invalid_email: normalized_email,
@@ -57,15 +59,16 @@ module Booth
       end
 
       # See https://github.com/heartcombo/devise/blob/8593801130f2df94a50863b5db535c272b00efe1/lib/devise.rb#L112-L116
+      # and https://github.com/janko/rodauth-rails/blob/62b64c6320334aca5a2805527db8a87d6e3feed8/lib/generators/rodauth/migration/active_record/base.erb#L10
       def check_ampersand
         if input.to_s.match(/\A[^@]+@[^@]+\z/)
-          debug { 'This email has the correct syntax' }
+          log { 'This email has the correct syntax' }
           return Tron.success :valid_email_syntax,
                               normalized_email:,
                               normalized_invalid_email: normalized_email
         end
 
-        debug { 'This email does not contain an ampersand' }
+        log { 'This email does not contain an ampersand' }
         Tron.failure :email_ampersand_invalid,
                      normalized_email: nil,
                      normalized_invalid_email: normalized_email,

data/lib/booth/syntaxes/ip.rb

@@ -1,13 +1,15 @@
+# frozen_string_literal: true
+
 module Booth
   module Syntaxes
     class Ip
       include ::Booth::Logging
-      include ::Booth::MethodObject
+      include Calls
 
       param :input
 
       def call
-        # debug { "Checking IP address #{input.inspect} for valid syntax..." }
+        # log { "Checking IP address #{input.inspect} for valid syntax..." }
         check_blank.on_success { check_validity }
       end
 
@@ -16,14 +18,14 @@ module Booth
       def check_blank
         return Tron.success :ip_present if input.present?
 
-        # debug { 'This IP is blank.' }
+        # log { 'This IP is blank.' }
         Tron.failure :blank_ip, normalized_ip: nil
       end
 
       def check_validity
         return Tron.success :ip_valid, normalized_ip: ip_addr.to_s if ip_addr
 
-        # debug { 'This IP is invalid.' }
+        # log { 'This IP is invalid.' }
         Tron.failure :invalid_ip, normalized_ip: nil
       end
 

data/lib/booth/syntaxes/remote_code.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Booth
+  module Syntaxes
+    class RemoteCode
+      include ::Booth::Logging
+      include Calls
+
+      param :input
+
+      def call
+        log { "Checking remote #{input.inspect} for valid syntax..." }
+        check_blank.on_success { check_characters }
+                   .on_success { check_length }
+      end
+
+      private
+
+      def check_blank
+        return Tron.success :remote_code_present if input.present?
+
+        log { 'This remote is blank.' }
+        Tron.failure :blank_remote_code,
+                     normalized_remote_code: nil,
+                     public_message: I18n.t('booth.blank_remote_code')
+      end
+
+      def check_characters
+        return Tron.success :remote_code_consists_of_digits if input_without_spaces.match?(allowed_regexp)
+
+        log { 'This remote contains invalid characters' }
+        Tron.failure :invalid_remote_code_format,
+                     normalized_remote_code: nil,
+                     public_message: I18n.t('booth.invalid_remote_code_format')
+      end
+
+      def check_length
+        if input_without_spaces.to_s.length == 6
+          return Tron.success :valid_remote_code_syntax,
+                              normalized_remote_code: input_without_spaces
+        end
+
+        log { "This remote is not 6 characters long." }
+        Tron.failure :wrong_remote_code_length,
+                     normalized_remote_code: nil,
+                     public_message: I18n.t('booth.wrong_remote_code_length', digits: 6)
+      end
+
+      # Helpers
+
+      def input_without_spaces
+        input.to_s.delete(' ')
+      end
+
+      def allowed_regexp
+        /\A\d+\z/
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/scope.rb

@@ -1,20 +1,24 @@
+# frozen_string_literal: true
+
 module Booth
   module Syntaxes
     class Scope
       include ::Booth::Logging
-      include ::Booth::MethodObject
+      include Calls
 
       param :input
 
       def call
-        return Tron.success(:valid_scope_syntax, normalized_scope: input.to_sym) if regexp.match(input.to_s)
+        if regexp.match(input.to_s)
+          return Tron.success(:valid_scope_syntax, normalized_scope: input.to_sym)
+        end
 
         raise ::Booth::Errors::InvalidScopeSyntax, input
       end
 
       # Same convention as a Ruby variable name.
       def regexp
-        /\A[a-z]{1}[a-z0-9_]+[a-z0-9]{1}\z/
+        /\A[a-z]{1}[a-z0-9_]{0,40}[a-z0-9]{1}\z/
       end
     end
   end

data/lib/booth/syntaxes/secret_key.rb

@@ -1,13 +1,15 @@
+# frozen_string_literal: true
+
 module Booth
   module Syntaxes
     class SecretKey
       include ::Booth::Logging
-      include ::Booth::MethodObject
+      include Calls
 
       param :input
 
       def call
-        debug { "Checking secret key #{input.inspect} for valid syntax..." }
+        log { "Checking secret key #{input.inspect} for valid syntax..." }
         check_missing.on_success { check_blank }
                      .on_success { check_length }
                      .on_success { check_characters }
@@ -18,7 +20,7 @@ module Booth
       def check_missing
         return Tron.success :secret_key_non_nil unless input.nil?
 
-        debug { 'This secret key is nil.' }
+        log { 'This secret key is nil.' }
         Tron.failure :missing_secret_key,
                      normalized_secret_key: nil,
                      public_message: I18n.t('booth.missing_secret_key')
@@ -27,7 +29,7 @@ module Booth
       def check_blank
         return Tron.success :secret_key_present if input.present?
 
-        debug { 'This secret key is blank.' }
+        log { 'This secret key is blank.' }
         Tron.failure :blank_secret_key,
                      normalized_secret_key: nil,
                      public_message: I18n.t('booth.blank_secret_key')
@@ -36,7 +38,7 @@ module Booth
       def check_length
         return Tron.success :secret_key_has_correct_length if input.to_s.length == 30
 
-        debug { 'This secret key is not 30 characters long.' }
+        log { 'This secret key is not 30 characters long.' }
         Tron.failure :wrong_secret_key_length,
                      normalized_secret_key: nil,
                      public_message: I18n.t('booth.wrong_secret_key_length')
@@ -48,7 +50,7 @@ module Booth
                               normalized_secret_key: input.to_s
         end
 
-        debug { 'This secret key contains invalid characters' }
+        log { 'This secret key contains invalid characters' }
         Tron.failure :invalid_secret_key_format,
                      normalized_secret_key: nil,
                      public_message: I18n.t('booth.invalid_secret_key_format')