booth 0.0.1 → 0.0.2

data/lib/booth/userland/logins/transitions/create/choose_username.rb

@@ -1,38 +1,73 @@
+# frozen_string_literal: true
+
 module Booth
-  module Logins
-    module Transitions
-      module Create
-        class ChooseUsername
-          include ::Booth::Concerns::Transition
-
-          def self.applicable?(params:)
-            params.dig :login, :username
-          end
+  module Userland
+    module Logins
+      module Transitions
+        module Create
+          # Someone tells us with a POST as which username they would like to log in.
+          class ChooseUsername
+            include ::Booth::Concerns::Transition
 
-          def call
-            finding = ::Booth::Credentials::FindByUsername.call(username: username_param)
+            def self.applicable?(params:)
+              params.dig :login, :username
+            end
 
-            finding.on_success do
-              # Each time a username was entered, we destroy and recreate the Contest for this Credential.
-              contest = ::Booth::Contests::SetForLogin.call(request:, credential_id: finding.credential.id).contest
-              storage.contest_for_username = contest
-              storage.credential_for_username = finding.credential
+            def call
+              do_find_record
+                .on_success { do_check_domain }
+                .on_success { do_check_scope }
+                .on_success { do_reset_remote }
             end
 
-            # Whether the username is valid or not, we persist it in the cookie,
-            # so that it can be shown again in the username text input.
-            storage.username = finding.normalized_invalid_username
-            finding
-          end
+            private
 
-          private
+            attr_accessor :credential
 
-          def username_param
-            params.require(:login).permit(:username)[:username]
-          end
+            def do_find_record
+              finding = ::Booth::Core::Credentials::FindByUsername.call(username: username_param)
+
+              # Whether the username is valid or not, we persist it in the cookie,
+              # so that it can be shown again in the username text input.
+              storage.username = finding.normalized_invalid_username
+              return finding if finding.failure?
+
+              self.credential = finding.credential
+              Tron.success :record_found
+            end
+
+            def do_check_domain
+              ::Booth::Comparisons::Domain.call actual: request.host, expected: credential.domain
+            end
 
-          def storage
-            request.storage.login
+            def do_check_scope
+              ::Booth::Comparisons::Scope.call actual: scope, expected: credential.scope
+            end
+
+            def do_reset_remote
+              # Each time a username was entered, we re-create the Remote for that Credential.
+              # Usernames are secret until voluntarily or involutarily revealed to a hacker.
+              # This feature here could lead to a kind of DOS attack where an attacker enters
+              # the username again and again and the real user could not login remotely.
+              # But in that case - you want to know that there is a hacker - simply rename the user.
+              remote = ::Booth::Core::Remotes::SetForLogin.call(
+                credential_id: credential.id,
+                request:,
+              ).remote
+
+              storage.remote_for_username = remote
+              storage.credential_for_username = credential
+
+              Tron.success :username_found_and_remote_reset
+            end
+
+            def username_param
+              params.expect(login: [:username])[:username]
+            end
+
+            def storage
+              request.storage.login
+            end
           end
         end
       end

data/lib/booth/userland/logins/transitions/create/skip_remotes.rb

@@ -1,21 +1,25 @@
+# frozen_string_literal: true
+
 module Booth
-  module Logins
-    module Transitions
-      module Create
-        class SkipRemotes
-          include ::Booth::Concerns::Transition
+  module Userland
+    module Logins
+      module Transitions
+        module Create
+          class SkipRemotes
+            include ::Booth::Concerns::Transition
 
-          def self.applicable?(params:)
-            params[:skip_remotes].present?
-          end
+            def self.applicable?(params:)
+              params[:skip_remotes].present?
+            end
 
-          def call
-            storage.skip_remotes
-            Tron.success :skipping_remotes
-          end
+            def call
+              storage.skip_remotes
+              Tron.success :skipping_remotes
+            end
 
-          def storage
-            request.storage.login
+            def storage
+              request.storage.login
+            end
           end
         end
       end

data/lib/booth/userland/logins/transitions/create/webauth_authentication_initiation.rb

@@ -1,53 +1,59 @@
-module Booth
-  module Logins
-    module Transitions
-      module Create
-        class WebauthAuthenticationInitiation
-          include ::Booth::Concerns::Transition
-
-          def self.applicable?(params:)
-            params[:webauth] && !params[:type]
-          end
-
-          def call
-            do_check_stale_session
-              .on_success { do_find_credential }
-              .on_success { do_check_webauth }
-          end
-
-          # Helpers
-
-          def do_check_stale_session
-            return Tron.success :session_not_stale unless storage.timed_out?
-
-            public_message = I18n.t('booth.login_timeout', lifespan_minutes: (storage.lifespan / 60))
-            Tron.failure :stale_session, step: :enter_username,
-                                         public_message:
-          end
+# frozen_string_literal: true
 
-          def do_find_credential
-            @credential = storage.credential_for_username
-            return Tron.success :found_credential if @credential
-
-            debug { 'I do not know the credential for this username' }
-            Tron.failure :missing_credential
-          end
-
-          def do_check_webauth
-            debug { 'Preparing webauth challenge...' }
-            challenging = Booth::Credentials::WebauthChallenge.call(credential: @credential)
-            result = Tron.success :webauth_for_you, public_json: challenging.options_for_get, http_status: :ok
-            debug { "The challenge is #{challenging.challenge}" }
-            storage.webauthn_challenge = challenging.challenge
-            debug { "Responding with JSON: #{result.public_json}" }
-            result
-          end
-
-          def storage
-            request.storage.login
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module Create
+          class WebauthAuthenticationInitiation
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params[:webauth] && !params[:handshake]&.key?(:type)
+            end
+
+            def call
+              do_check_stale_session
+                .on_success { do_find_credential }
+                .on_success { do_check_webauth }
+            end
+
+            # Helpers
+
+            def do_check_stale_session
+              return Tron.success :session_not_stale unless storage.timed_out?
+
+              public_message = I18n.t('booth.login_timeout',
+                                      lifespan_minutes: (storage.lifespan / 60))
+              Tron.failure :stale_session, step: :enter_username, public_message:
+            end
+
+            def do_find_credential
+              @credential = storage.credential_for_username
+              return Tron.success :found_credential if @credential
+
+              log { 'I do not know the credential for this username' }
+              Tron.failure :missing_credential
+            end
+
+            def do_check_webauth
+              log { 'Preparing webauth challenge...' }
+              challenging = Booth::Core::Credentials::WebauthChallenge.call(credential: @credential,
+                                                                            request:)
+              return Tron.failure(:no_registered_authenticators) if challenging.failure?
+
+              result = Tron.success :webauth_for_you, public_json: challenging.options_for_get,
+                                                      http_status: :created
+              log { "The challenge is #{challenging.challenge}" }
+              storage.webauthn_challenge = challenging.challenge
+              log { "Responding with JSON: #{result.public_json}" }
+              result
+            end
+
+            def storage
+              request.storage.login
+            end
           end
-
-          delegate :authentication, to: :request
         end
       end
     end

data/lib/booth/userland/logins/transitions/create/webauth_authentication_verification.rb

@@ -1,77 +1,81 @@
+# frozen_string_literal: true
+
+65
 module Booth
-  module Logins
-    module Transitions
-      module Create
-        class WebauthAuthenticationVerification
-          include ::Booth::Concerns::Transition
-
-          def self.applicable?(params:)
-            params[:webauth] && params[:type]
-          end
+  module Userland
+    module Logins
+      module Transitions
+        module Create
+          class WebauthAuthenticationVerification
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params[:webauth] && params[:handshake]&.key?(:type)
+            end
 
-          def call
-            do_check_stale_session
-              .on_success { do_find_credential }
-              .on_success { do_find_challenge }
-              .on_success { do_check_webauth }
-          end
+            def call
+              do_check_stale_session
+                .on_success { do_find_credential }
+                .on_success { do_find_challenge }
+                .on_success { do_check_webauth }
+            end
 
-          private
+            private
 
-          delegate :sudo, to: :request
+            delegate :sudo, to: :request
 
-          # Helpers
+            # Helpers
 
-          def do_check_stale_session
-            return Tron.success :session_not_stale unless storage.timed_out?
+            def do_check_stale_session
+              return Tron.success :session_not_stale unless storage.timed_out?
 
-            public_message = I18n.t('booth.login_timeout', lifespan_minutes: (storage.lifespan / 60))
-            debug { public_message }
-            Tron.failure :stale_session, step: :enter_username,
-                                         public_message:
-          end
+              public_message = I18n.t('booth.login_timeout',
+                                      lifespan_minutes: (storage.lifespan / 60))
+              log { public_message }
+              Tron.failure :stale_session, step: :enter_username,
+                                           public_message:
+            end
+
+            def do_find_credential
+              @credential = storage.credential_for_username
+              return Tron.success :found_credential if @credential
 
-          def do_find_credential
-            @credential = storage.password_authenticated_credential
-            return Tron.success :found_credential if @credential
+              log { 'I do not know the credential for this username' }
+              Tron.failure :missing_credential
+            end
 
-            @credential = storage.credential_for_username
-            return Tron.success :found_credential if @credential
+            def do_find_challenge
+              return Tron.success :challenge_ongoing if storage.webauthn_challenge.present?
 
-            debug { 'I do not know the credential for this username' }
-            Tron.failure :missing_credential
-          end
+              log { 'There is no corresponding challenge in the session' }
+              Tron.failure :no_session_challenge, public_json: {},
+                                                  http_status: :unprocessable_entity
+            end
 
-          def do_find_challenge
-            return Tron.success :challenge_ongoing if storage.webauthn_challenge.present?
+            def do_check_webauth
+              verification = ::Booth::Core::Webauth::AuthenticationVerification.call(
+                request:,
+                credential_id: @credential.id,
+                challenge: storage.webauthn_challenge,
+              )
+              return verification if verification.failure?
 
-            debug { 'There is no corresponding challenge in the session' }
-            Tron.failure :no_session_challenge, public_json: {}, http_status: :unprocessable_entity
-          end
+              # Don't let valid Onboarding links linger around when not needed.
+              @credential.onboarding&.destroy!
 
-          def do_check_webauth
-            verification = ::Booth::Webauth::AuthenticationVerification.call(
-              request:,
-              credential_id: @credential.id,
-              challenge: storage.webauthn_challenge
-            )
-            return verification if verification.failure?
-
-            # sudo.webauth! # Why was this up here as well? I forgot.
-            if @credential.mode_username_and_webauth?
-              ::Booth::Sessions::CreateAndLogin.call(credential: verification.credential, request:)
-            elsif @credential.mode_username_password_and_webauth? && @credential == storage.password_authenticated_credential
-              ::Booth::Sessions::CreateAndLogin.call(credential: verification.credential, request:)
-            end
+              ::Booth::Core::Sessions::CreateAndLogin.call(domain: request.host,
+                                                           scope:,
+                                                           credential: verification.credential,
+                                                           request:)
 
-            sudo.webauth! # This also re-sudos after reset caused by potential login above.
+              sudo.webauth! # This also re-sudos after reset caused by potential login above.
 
-            Tron.success :login_completed, public_json: {},
-                                           http_status: :created
-          end
+              Tron.success :login_completed, public_json: {}, http_status: :created
+            end
 
-          def storage
-            request.storage.login
+            def storage
+              request.storage.login
+            end
           end
         end
       end

data/lib/booth/userland/logins/transitions/new/already_logged_in.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Logins
@@ -5,11 +7,10 @@ module Booth
         module New
           class AlreadyLoggedIn
             include ::Booth::Concerns::Transition
-            include ::Booth::Userland::Logins::Transitions::New::Fallible
 
             def call
-              debug { "Good, it looks like you've managed to login" }
-              debug { "Sending you to #{request.return_path.inspect}" } if request.return_path
+              log { "Good, it looks like you've managed to login in scope #{request.scope}" }
+              log { "Sending you to #{request.return_path.inspect}" } if request.return_path
 
               Tron.success :cannot_login_because_already_logged_in, return_path: request.return_path
             end

data/lib/booth/userland/logins/transitions/new/fallible.rb

@@ -1,8 +1,12 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Logins
       module Transitions
         module New
+          # A Concern shared by other Login Transitions.
+          # Convenience method for returning an error with common metadata.
           module Fallible
             extend ActiveSupport::Concern
 

data/lib/booth/userland/logins/transitions/new/{mode_username_and_password.rb → missing_authenticators.rb}

@@ -1,16 +1,17 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Logins
       module Transitions
         module New
-          class ModeUsernameAndPassword
+          class MissingAuthenticators
             include ::Booth::Concerns::Transition
             include ::Booth::Userland::Logins::Transitions::New::Fallible
 
             def call
-              debug { 'I have your username and I only need your password' }
-
-              fail_with :need_password, step: :enter_password
+              log { "Apparently we don't know any authenticators of this user" }
+              fail_with :no_authenticators, step: :no_authenticators
             end
           end
         end

data/lib/booth/userland/logins/transitions/new/mode_username_and_webauth.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Logins
@@ -8,14 +10,14 @@ module Booth
             include ::Booth::Userland::Logins::Transitions::New::Fallible
 
             def call
-              debug { 'I have your username and I only need your Webauth' }
+              log { 'I have your username and I only need your Webauth' }
 
-              if storage.credential_for_username.registered_authenticator_ids.any?
-                debug { 'I know that the user has an authenticator that is to be challenged' }
+              if storage.credential_for_username.registered_authenticators?
+                log { 'I know that the user has an authenticator that is to be challenged' }
                 return fail_with(:need_webauth, step: :enter_webauth)
               end
 
-              debug { "Apparently we don't know any authenticators of this user" }
+              log { "Apparently we don't know any authenticators of this user" }
               fail_with :no_authenticators, step: :no_authenticators
             end
           end

data/lib/booth/userland/logins/transitions/new/no_username_chosen.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Logins
@@ -8,7 +10,7 @@ module Booth
             include ::Booth::Userland::Logins::Transitions::New::Fallible
 
             def call
-              debug { "I don't know of any valid username" }
+              log { "I don't know of any valid username" }
               fail_with :no_username_chosen, step: :enter_username
             end
           end

data/lib/booth/userland/logins/transitions/new/remote_session_available.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Logins
@@ -6,9 +8,10 @@ module Booth
           class RemoteSessionAvailable
             include ::Booth::Concerns::Transition
             include ::Booth::Userland::Logins::Transitions::New::Fallible
+            include ::Booth::Logging
 
             def call
-              # Prerequisites that were arranged by previous transitions.
+              # Checking prerequisites that were arranged by previous transitions.
               raise(::Booth::Errors::Internal, 'Expected a Credential in the cookie.') unless credential
 
               do_respond
@@ -17,22 +20,26 @@ module Booth
             private
 
             def do_respond
-              if contest&.recently_responded?
-                debug { 'Your Contest was solved on the other device. Logging you in...' }
+              if remote&.recently_responded?
+                log { 'Your Remote was solved on the other device. Logging you in...' }
                 # Yes, it's unusual for a GET request to log you in.
-                # We are polling this page and when the Contest was solved remotely, we log this user in.
-                ::Booth::Sessions::CreateAndLogin.call(credential:, request:)
+                # We are polling this page and when the Remote was solved remotely,
+                # we log this user in.
+                ::Booth::Core::Sessions::CreateAndLogin.call(domain: request.host, scope:, credential:, request:)
 
-              elsif contest&.recently_created?
-                debug { 'If you like, you can try a remote device to log you in here.' }
-                # Having entered a username earlier, we can be sure to find a corresponding Contest.
-                expected_code = contest.formatted_code
+              elsif remote&.recently_created?
+                log { 'If you like, you can try a remote device to log you in here.' }
+                # Having entered a username earlier, we can be sure to find a corresponding Remote.
+                expected_code = remote.formatted_code
 
-                fail_with :contest_available,
+                fail_with :remote_available,
                           step: :remote_session_available,
                           expected_code:
               else
-                fail_with :invalid_contest,
+                log { 'The remote was not recently created.' }
+                # The user normally doesn't end up here, because there is a timeout on cookies.
+                # But we still need to check it in case one timeout is smaller than the other.
+                fail_with :invalid_remote,
                           step: :remote_session_expired
               end
             end
@@ -41,8 +48,8 @@ module Booth
               request.storage.login.credential_for_username
             end
 
-            def contest
-              request.storage.login.contest_for_username
+            def remote
+              request.storage.login.remote_for_username
             end
           end
         end

data/lib/booth/userland/logins/transitions/new/timed_out.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Logins
@@ -8,7 +10,7 @@ module Booth
             include ::Booth::Userland::Logins::Transitions::New::Fallible
 
             def call
-              debug { 'Stale session detected, you need to start all over again.' }
+              log { 'Stale session detected, you need to start all over again.' }
 
               fail_with :no_username_chosen, step: :enter_username,
                                              public_message: