booth 0.0.1 → 0.0.2

data/lib/booth/testing/userland/onboarding_to_reset_passkeys.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+module Booth
+  module Testing
+    module Userland
+      class OnboardingToResetPasskeys < ::Booth::Testing::IncorporationTestCase
+        def call
+          before_test&.call
+
+          visit_namespaced controller: :onboardings, action: :show, params: { id: 'wrong-key' }
+
+          # ------------------------------ SIGNIFICANT TEST ---------------------------
+          # Onboardings can only be opened with the secret key, typos can be too short.
+          # ---------------------------------------------------------------------------
+          assert_userland_view controller: :onboardings, step: :not_found
+
+          credential = ::Booth::Models::Credential.create!(
+            domain: ::Capybara.app_host.remove('http://'),
+            username: 'alice',
+            scope:,
+          )
+
+          after_credential&.call(credential_id: credential.id)
+
+          temporary_onboarding = ::Booth::Models::Onboarding.create!(
+            credential_id: credential.id,
+          )
+
+          visit_namespaced controller: :onboardings, action: :show,
+                           params: { id: temporary_onboarding.secret_key }
+
+          assert_userland_view controller: :onboardings, step: :redeem
+          click_on :submit
+
+          assert_logged_in username: 'alice'
+
+          temporary_onboarding.destroy!
+          onboarding = ::Booth::Models::Onboarding.create!(
+            credential_id: credential.id,
+          )
+
+          visit_namespaced controller: :onboardings, action: :show,
+                           params: { id: onboarding.secret_key }
+
+          # ----------------------- SIGNIFICANT TEST ---------------
+          # Logged in without Authenticators requires no Onboarding.
+          # --------------------------------------------------------
+          assert_userland_view controller: :onboardings, step: :not_needed
+
+          virtual_authenticators.create
+          visit_namespaced controller: :webauths, action: :new
+
+          assert_userland_view controller: :webauths, step: :register
+
+          click_on :register
+
+          assert_userland_view controller: :webauths, step: :choose_nickname
+
+          fill_in :nickname, with: 'Latchkey'
+          click_on :submit
+
+          assert_userland_view controller: :webauths, step: :confirm
+          click_on :test
+
+          assert_userland_view controller: :webauths, step: :completed
+
+          authenticator = ::Booth::Models::Authenticator.sole
+
+          assert_equal 'Latchkey', authenticator.nickname
+
+          soft_reset_session
+
+          # Onboard via URL
+
+          visit_namespaced controller: :onboardings, action: :show,
+                           params: { id: onboarding.secret_key }
+
+          assert_userland_view controller: :onboardings, step: :redeem
+
+          click_on :submit
+
+          assert_equal 0, ::Booth::Models::Authenticator.count # (Side-effect, so we can avoid sudo)
+
+          visit_namespaced controller: :webauths, action: :new
+
+          # ------------------ SIGNIFICANT TEST -------------------
+          # Redeeming an Onboarding allows for adding new Passkeys.
+          # -------------------------------------------------------
+          assert_userland_view controller: :webauths, step: :register
+
+          click_on :register
+
+          assert_userland_view controller: :webauths, step: :choose_nickname
+
+          fill_in :nickname, with: 'Superkey'
+          click_on :submit
+
+          assert_userland_view controller: :webauths, step: :confirm
+          click_on :test
+
+          assert_userland_view controller: :webauths, step: :completed
+
+          authenticator = ::Booth::Models::Authenticator.sole
+
+          assert_equal 'Superkey', authenticator.nickname
+
+          travel 2.weeks
+          visit_namespaced controller: :onboardings, action: :show,
+                           params: { id: onboarding.secret_key }
+
+          # ---------------------- SIGNIFICANT TEST -----------------
+          # Cannot open an old Onboarding (even if already consumed).
+          # ---------------------------------------------------------
+          assert_userland_view controller: :onboardings, step: :timed_out
+
+          ::Booth::Models::Credential.sole.update!(blocked_at: Time.current)
+
+          visit_namespaced controller: :onboardings, action: :show,
+                           params: { id: onboarding.secret_key }
+
+          # ---------------------- SIGNIFICANT TEST -----------------
+          # Cannot open an old Onboarding when Credential is blocked.
+          # ---------------------------------------------------------
+          assert_userland_view controller: :onboardings, step: :blocked
+        end
+      end
+    end
+  end
+end

data/lib/booth/testing/userland/registration_with_passkey.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module Booth
+  module Testing
+    module Userland
+      class RegistrationWithPasskey < ::Booth::Testing::IncorporationTestCase
+        def call
+          before_test&.call
+
+          # Register
+
+          visit_namespaced controller: :registrations, action: :new
+
+          return 'Skipping self-registration tests' if page.has_text?('HTTP ERROR 410') # Chrome Page
+
+          virtual_authenticators.create
+
+          assert_userland_view controller: :registrations, step: :choose_username
+
+          fill_in :username, with: 'alice'
+          click_on :submit
+
+          visit_namespaced controller: :webauths, action: :new
+
+          assert_userland_view controller: :webauths, step: :register
+
+          click_on :register
+
+          assert_userland_view controller: :webauths, step: :choose_nickname
+
+          fill_in :nickname, with: 'My Yubikey'
+          click_on :submit
+
+          assert_userland_view controller: :webauths, step: :confirm
+          click_on :test
+
+          # ------------ SIGNIFICANT TEST --------------
+          # Registering a Passkey via the Browser works.
+          # --------------------------------------------
+          assert_userland_view controller: :webauths, step: :completed
+
+          soft_reset_session
+
+          # Login
+
+          visit_namespaced controller: :logins, action: :new
+
+          assert_userland_view controller: :logins, step: :enter_username
+
+          fill_in :username, with: 'alice'
+          click_on :submit
+
+          # --------------------- SIGNIFICANT TEST -------------------------
+          # Without actually logging out, a Session is still regarded alive.
+          # ----------------------------------------------------------------
+          assert_userland_view controller: :logins, step: :remote_session_available
+
+          click_on :skip
+
+          assert_userland_view controller: :logins, step: :enter_webauth
+
+          # --------------------- SIGNIFICANT TEST --------------------------
+          # After registration and adding a Passkey, you can use it to login.
+          # -----------------------------------------------------------------
+          click_on :authenticate
+
+          visit_namespaced controller: :webauths, action: :index
+
+          assert_userland_view controller: :webauths, step: :index
+
+          # Try to register when already logged in
+
+          visit_namespaced controller: :registrations, action: :new
+
+          assert_userland_view controller: :registrations, step: :already_logged_in
+
+          visit_namespaced controller: :webauths, action: :new
+
+          assert_userland_view controller: :webauths, step: :register
+
+          click_on :register
+
+          assert_userland_view controller: :webauths, step: :register
+
+          # --------------------- SIGNIFICANT TEST ---------------
+          # A hardware device cannot be registered multiple times.
+          # ------------------------------------------------------
+          assert_text 'already registered with the relying party'
+        end
+      end
+    end
+  end
+end

data/lib/booth/testing/userland/registration_without_passkey.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module Booth
+  module Testing
+    module Userland
+      class RegistrationWithoutPasskey < ::Booth::Testing::IncorporationTestCase
+        def call
+          before_test&.call
+
+          # Register normally
+
+          visit_namespaced controller: :registrations, action: :new
+
+          # Chrome Page
+          return 'Skipping self-registration tests' if page.has_text?('HTTP ERROR 410')
+
+          assert_userland_view controller: :registrations, step: :choose_username
+
+          fill_in :username, with: 'alice'
+          click_on :submit
+
+          # Propagate login to other device
+
+          code = nil
+          using_session(:other_device) do
+            # Login
+
+            visit_namespaced controller: :logins, action: :new
+
+            assert_userland_view controller: :logins, step: :enter_username
+
+            fill_in :username, with: 'alice'
+            click_on :submit
+
+            assert_userland_view controller: :logins, step: :remote_session_available
+
+            code = find('[data-booth="code"]').text
+          end
+
+          # Redeem remote code
+
+          visit_namespaced controller: :remote_logins, action: :show
+
+          # ------------- SIGNIFICANT TEST -----------------
+          # After registering you are immediately logged in.
+          # ------------------------------------------------
+
+          assert_userland_view controller: :remote_logins, step: :remote_login
+
+          fill_in :code, with: code
+          click_on :submit
+
+          assert_userland_view controller: :remote_logins, step: :remote_solved
+
+          using_session(:other_device) do
+            visit_namespaced controller: :webauths, action: :index
+
+            # -------------------------- SIGNIFICANT TEST ---------------------------
+            # You can remote-login even though you don't have any Authenticators yet.
+            # -----------------------------------------------------------------------
+            assert_userland_view controller: :webauths, step: :index
+          end
+
+          # Try to Login without having any Authenticators
+
+          soft_reset_session
+
+          visit_namespaced controller: :logins, action: :new
+
+          assert_userland_view controller: :logins, step: :enter_username
+
+          fill_in :username, with: 'alice'
+          click_on :submit
+
+          assert_userland_view controller: :logins, step: :remote_session_available
+
+          click_on :skip
+
+          # ------------------ SIGNIFICANT TEST --------------------
+          # If you didn't register any Passkeys, you are locked out.
+          # --------------------------------------------------------
+          assert_userland_view controller: :logins, step: :no_authenticators
+
+          visit_namespaced controller: :registrations, action: :new
+
+          assert_userland_view controller: :registrations, step: :choose_username
+
+          fill_in :username, with: 'alice'
+          click_on :submit
+
+          assert_userland_view controller: :registrations, step: :choose_username
+
+          # ---------------- SIGNIFICANT TEST -------------------
+          # You cannot register a username that is already taken.
+          # -----------------------------------------------------
+          assert_text 'username already exists'
+        end
+      end
+    end
+  end
+end

data/lib/booth/testing/userland/sessions_manage_behavior.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module Booth
+  module Testing
+    module Userland
+      module SessionsManageBehavior
+        include ::Booth::Logging
+
+        def run(button_name:, template:)
+          before_test&.call
+
+          create_and_onboard(username: 'alice')
+          virtual_authenticators.create
+          register_new_passkey(username: 'alice')
+
+          using_session(:"second_browser_#{button_name}") do
+            virtual_authenticators.clone_from_other_session
+            login_with_passkey(username: 'alice')
+
+            visit_namespaced controller: :sessions, action: :index
+
+            assert_userland_view controller: :sessions, step: :index
+            click_on button_name
+
+            # ----------------- SIGNIFICANT TEST -------------------
+            # Revoking another sessions keeps the current one alive.
+            # ------------------------------------------------------
+            assert_logged_in username: 'alice'
+          end
+
+          visit current_path
+
+          # ----------- SIGNIFICANT TEST ---------------
+          # A revoked session is not logged in any more.
+          # --------------------------------------------
+          assert_logged_out
+
+          # Login on first device again and revoke all others
+          virtual_authenticators.refresh_from_other_session
+          login_with_passkey(username: 'alice')
+
+          visit_namespaced controller: :sessions, action: :index
+
+          assert_userland_view controller: :sessions, step: :index
+          travel 21.minutes
+          visit_namespaced controller: :sessions, action: :index
+
+          assert_userland_view controller: :sessions, step: :index
+          click_on button_name
+
+          assert_userland_view controller: :sessions, step: template
+          click_on :authenticate
+
+          assert_userland_view controller: :sessions, step: :index
+
+          using_session(:"second_browser_#{button_name}") do
+            visit_namespaced controller: :sessions, action: :index
+
+            # ----------- SIGNIFICANT TEST ---------------
+            # A revoked session is not logged in any more.
+            # --------------------------------------------
+            assert_logged_out
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/testing/userland/sessions_revoke_all_others.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require_relative 'sessions_manage_behavior'
+
+module Booth
+  module Testing
+    module Userland
+      class SessionsRevokeAllOthers < ::Booth::Testing::IncorporationTestCase
+        include SessionsManageBehavior
+
+        def call
+          run(button_name: :revoke_all_others, template: :enter_webauth_to_destroy_all_others)
+        end
+      end
+    end
+  end
+end

data/lib/booth/testing/userland/sessions_revoke_one.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require_relative 'sessions_manage_behavior'
+
+module Booth
+  module Testing
+    module Userland
+      class SessionsRevokeOne < ::Booth::Testing::IncorporationTestCase
+        include SessionsManageBehavior
+
+        def call
+          run(button_name: :revoke, template: :enter_webauth_to_destroy)
+        end
+      end
+    end
+  end
+end

data/lib/booth/testing/userland.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative 'support/shortcuts/create_and_onboard'
+require_relative 'support/shortcuts/register_new_passkey'
+require_relative 'support/shortcuts/login_with_passkey'
+
+require_relative 'userland/login_remotely'
+require_relative 'userland/onboarding_first_time'
+require_relative 'userland/onboarding_to_reset_passkeys'
+require_relative 'userland/registration_with_passkey'
+require_relative 'userland/registration_without_passkey'
+require_relative 'userland/sessions_manage_behavior'
+require_relative 'userland/sessions_revoke_all_others'
+require_relative 'userland/sessions_revoke_one'
+
+module Booth
+  module Testing
+    module Userland
+      SCENARIOS = [
+        ::Booth::Testing::Userland::RegistrationWithPasskey,
+        ::Booth::Testing::Userland::RegistrationWithoutPasskey,
+        ::Booth::Testing::Userland::OnboardingFirstTime,
+        ::Booth::Testing::Userland::OnboardingToResetPasskeys,
+        ::Booth::Testing::Userland::LoginRemotely,
+        ::Booth::Testing::Userland::SessionsRevokeOne,
+        ::Booth::Testing::Userland::SessionsRevokeAllOthers,
+      ].freeze
+
+      def self.scenarios
+        SCENARIOS.each do |klass|
+          yield ::Booth::Testing::Support::Scenario.new(klass)
+        end
+      end
+    end
+  end
+end

data/lib/booth/to_struct.rb

@@ -1,11 +1,18 @@
+# frozen_string_literal: true
+
 module Booth
+  # Converts a Hash to a Data object.
   class ToStruct
-    include ::Booth::MethodObject
+    include Calls
 
     param :attributes
 
     def call
-      ::Struct.new(*attributes.keys, keyword_init: true).new(**attributes)
+      ::Data.define(*attributes.keys) do
+        def self.inspect
+          "<Data :#{members.join(', :')}>"
+        end
+      end.new(**attributes)
     end
   end
 end

data/lib/booth/userland/extract_flash_messages.rb

@@ -1,10 +1,17 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     class ExtractFlashMessages
       include ::Booth::Logging
-      include ::Booth::MethodObject
+      include Calls
 
+      # Where the message is extracted from.
+      # Example: `from: my_object` where my_object responds to #public_message
       option :from
+
+      # Where the message is passed on to.
+      # Example: `to: flash` where flash responds to #notice=
       option :to
 
       def call
@@ -13,10 +20,10 @@ module Booth
         return if from.public_message.blank?
 
         if from.success?
-          debug { "Saving flash notice: #{from.public_message}" }
+          log { "Saving flash notice: #{from.public_message}" }
           to[:notice] = from.public_message
         else
-          debug { "Saving flash alert: #{from.public_message}" }
+          log { "Saving flash alert: #{from.public_message}" }
           to[:alert] = from.public_message
         end
 

data/lib/booth/userland/logins/create.rb

@@ -1,6 +1,10 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Logins
+      # This Action receives a proof of identity (i.e. username or passkey)
+      # and either asks for more, or logs you in.
       class Create
         include ::Booth::Concerns::Action
 
@@ -14,12 +18,10 @@ module Booth
 
         def transitions
           [
-            ::Booth::Logins::Transitions::Create::ChooseUsername,
-            ::Booth::Logins::Transitions::Create::EnterOtp,
-            ::Booth::Logins::Transitions::Create::SkipRemotes,
-            ::Booth::Logins::Transitions::Create::VerifyPassword,
-            ::Booth::Logins::Transitions::Create::WebauthAuthenticationInitiation,
-            ::Booth::Logins::Transitions::Create::WebauthAuthenticationVerification,
+            ::Booth::Userland::Logins::Transitions::Create::ChooseUsername,
+            ::Booth::Userland::Logins::Transitions::Create::SkipRemotes,
+            ::Booth::Userland::Logins::Transitions::Create::WebauthAuthenticationInitiation,
+            ::Booth::Userland::Logins::Transitions::Create::WebauthAuthenticationVerification
           ]
         end
       end

data/lib/booth/userland/logins/destroy.rb

@@ -1,29 +1,33 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Logins
+      # This Action logs a user out.
       class Destroy
         include ::Booth::Concerns::Action
+        include ::Booth::Logging
 
-        def call
+        def call # rubocop:disable Metrics/AbcSize
           request.must_be_delete!
           request.must_be_html!
 
           if request.authentication.logged_in?
             public_message = I18n.t('booth.successfully_logged_out')
-            ::Booth::Audits::Register::Logout.call credential:,
-                                                   ip: request.ip,
-                                                   agent: request.agent
+            ::Booth::Core::Audit::Logout.call credential:, ip: request.ip, agent: request.agent
           end
 
           reset!
+          # cleanup_orphan_credential!
 
-          Tron.success :logged_out, return_path: request.return_path,
-                                    public_message:
+          Tron.success :logged_out, return_path: request.return_path, public_message:
         end
 
         private
 
         def credential
+          return unless request.authentication.credential_id
+
           @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
         end
 
@@ -31,6 +35,19 @@ module Booth
           request.storage.login.reset
           request.authentication.logout
         end
+
+        # If this is a newly registered Credential, you were only logged in into this browser.
+        # If you didn't add any Authenticators, you cannot log in again later.
+        # Now that you logged out, your Credential is disposable and the username can be freed.
+        # def cleanup_orphan_credential!
+        #   return unless credential # Logged out in another browser window.
+        #   return if credential.authenticators.any?
+
+        #   credential.destroy
+        # rescue StandardError
+        #   # The destruction is allowed to fail if there are tables referencing this credential.
+        #   log { "Could not remove Authenticator-less Credential #{credential.id}" }
+        # end
       end
     end
   end

data/lib/booth/userland/logins/new.rb

@@ -1,51 +1,49 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
+    # Actions in this namespace handle the login of a user.
     module Logins
+      # This Action shows a login form for entering proof of identity (e.g. username, OTP).
       class New
         include ::Booth::Concerns::Action
 
-        def call
+        def call # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
           request.must_be_get!
           request.must_be_html!
 
           if already_logged_in?
             # Bail out early if it would conflict with another session.
-            # Because this could lead to strong confusion for the end-user.
-            ::Booth::Userland::Logins::Transitions::New::AlreadyLoggedIn.call(request:)
+            # Because this could lead to confusion for the end-user.
+            ::Booth::Userland::Logins::Transitions::New::AlreadyLoggedIn.call(scope:, request:)
 
           elsif storage.timed_out?
-            # The browser cookie just destroyed itself.
-            ::Booth::Userland::Logins::Transitions::New::TimedOut.call(request:)
+            # The browser cookie just destroyed itself due to age.
+            # Whether logged in, or not, now you're considered logged out.
+            ::Booth::Userland::Logins::Transitions::New::TimedOut.call(scope:, request:)
 
           elsif storage.credential_for_username.blank?
-            # First of all, we need a username.
+            # At this point we're ready to show the login form, asking for a username.
+            # In order to log someone in, we would first need a username.
             # Without it we wouldn't know which credential to look for.
-            ::Booth::Userland::Logins::Transitions::New::NoUsernameChosen.call(request:)
-
-          elsif storage.credential_for_username.mode_first_time?
-            # If that username is not initialized, bail out again.
-            # This should be an informative site with remedy information.
-            ::Booth::Userland::Logins::Transitions::New::ModeFirstTime.call(request:)
+            ::Booth::Userland::Logins::Transitions::New::NoUsernameChosen.call(scope:, request:)
 
           elsif remote_session_available?
             # If the user is logged in on another device,
             # suggest that that device is used as a remote to login here.
-            ::Booth::Userland::Logins::Transitions::New::RemoteSessionAvailable.call(request:)
-
-          elsif storage.credential_for_username.mode_username_and_password?
-            ::Booth::Userland::Logins::Transitions::New::ModeUsernameAndPassword.call(request:)
+            # This is possible even without registered authenticators.
+            ::Booth::Userland::Logins::Transitions::New::RemoteSessionAvailable.call(scope:, request:)
 
-          elsif storage.credential_for_username.mode_username_password_and_otp?
-            ::Booth::Userland::Logins::Transitions::New::ModeUsernamePasswordAndOtp.call(request:)
-
-          elsif storage.credential_for_username.mode_username_password_and_webauth?
-            ::Booth::Userland::Logins::Transitions::New::ModeUsernamePasswordAndWebauth.call(request:)
-
-          elsif storage.credential_for_username.mode_username_and_webauth?
-            ::Booth::Userland::Logins::Transitions::New::ModeUsernameAndWebauth.call(request:)
+          elsif !storage.credential_for_username.registered_authenticators?
+            # If the username exists, but is not initialized, bail out.
+            # This could happen if the user self-registers, never adds a credential and logs out.
+            # This should be an informative site with remedy information.
+            # The remedy usually has the user go through an onboarding.
+            ::Booth::Userland::Logins::Transitions::New::MissingAuthenticators.call(scope:, request:)
 
           else
-            raise 'Invalid Login State'
+            ::Booth::Userland::Logins::Transitions::New::ModeUsernameAndWebauth.call(scope:, request:)
+
           end
         end