booth 0.0.1 → 0.0.2

data/lib/booth/userland/onboardings/show.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Onboardings
@@ -8,61 +10,85 @@ module Booth
           request.must_be_get!
           request.must_be_html!
 
-          do_find_onboarding
-            .on_success { do_check_logged_out }
-            .on_success { do_access_onboarding }
+          do_find
+            .on_success { do_check_consummation }
+            .on_success { do_check_not_logged_in_as_wrong_user }
+            .on_success { do_check_onboarding_not_needed }
+            .on_success { do_access }
         end
 
-        def do_find_onboarding
-          finding = ::Booth::Onboardings::Find.call(secret_key:)
-          finding.on_failure do
-            return Tron.failure finding.failure, step: :not_found, public_message: finding.public_message
+        private
+
+        attr_accessor :onboarding
+
+        def do_find
+          finding = ::Booth::Core::Onboardings::Find.call(domain: request.host,
+                                                          scope:,
+                                                          secret_key:,
+                                                          consumed: :any)
+
+          if finding.success?
+            self.onboarding = finding.onboarding
+            return finding
           end
 
-          @onboarding = finding.onboarding
-          finding
+          step = case finding.failure
+                 when :credential_blocked then :blocked
+                 when :onboarding_outdated then :timed_out
+                 else :not_found
+                 end
+
+          Tron.failure(finding.failure, step:,
+                                        public_message: finding.try(:public_message))
         end
 
-        def do_check_logged_out
-          unless request.authentication.logged_in?
-            debug { "Good, nobody happens to be already logged in in scope #{@onboarding.scope}" }
-            return Tron.success :not_logged_in
-          end
+        def do_check_consummation
+          return Tron.success :onboarding_can_be_consumed unless onboarding.consumed?
 
-          if request.authentication.logged_in_as?(credential: @onboarding.credential)
-            debug { "#{@onboarding.credential.username} is already logged in in scope #{@onboarding.scope}" }
-            return Tron.success :logged_in_as_same_credential
+          if request.authentication.logged_in_as?(credential: onboarding.credential)
+            Tron.failure(:onboarding_completed, username: onboarding.username, step: :success)
+          else
+            Tron.failure(:onboarding_already_consumed, step: :already_used)
           end
+        end
+
+        def do_check_not_logged_in_as_wrong_user
+          if request.authentication.logged_out? ||
+             request.authentication.logged_in_as?(credential: onboarding.credential)
 
-          debug do
-            "Logged in as user #{request.authentication.username.inspect} but trying to onboard as #{@onboarding.username.inspect}"
+            log { "No wrong user is logged in in scope #{onboarding.scope}" }
+            return Tron.success :not_logged_in_as_wrong_user
           end
 
-          Tron.failure :already_logged_in, step: :already_logged_in,
-                                           secret_key: @onboarding.secret_key,
-                                           username: @onboarding.username
+          log { "Cannot onboard #{onboarding.username} because #{request.authentication.username}" }
+          Tron.failure :wrong_user_logged_in, step: :wrong_user,
+                                              secret_key: onboarding.secret_key,
+                                              username: onboarding.username
         end
 
-        # TODO: Check recently created?
+        def do_check_onboarding_not_needed
+          if request.authentication.logged_in_as?(credential: onboarding.credential) &&
+             !onboarding.credential.registered_authenticators?
+
+            log { "#{onboarding.credential.username} already logged in scope #{onboarding.scope}" }
+            # TODO: Incapacitate the onboarding and audit to explain what happened
+            return Tron.failure :onboarding_not_needed, step: :not_needed
+          end
 
-        def do_access_onboarding
-          @onboarding.update! accessed_at: Time.current if @onboarding.accessed_at.blank?
+          Tron.success :onboarding_might_be_needed
+        end
 
-          debug do
-            "Accessed Onboarding #{@onboarding.id.inspect} (Step #{@onboarding.step}) and Credential #{@onboarding.credential_id.inspect}"
+        def do_access
+          if onboarding.accessed_at.blank?
+            onboarding.update! accessed_at: Time.current
+            log { "Accessed Onboarding #{onboarding.id} of Credential #{onboarding.credential_id}" }
           end
-          Tron.success :onboarding_accessed, credential_id: @onboarding.credential_id,
-                                             step: @onboarding.step,
-                                             username: @onboarding.username,
-                                             mode: ::Booth::Mode.find(@onboarding.mode),
-                                             secret_key: @onboarding.secret_key,
-                                             allowed_modes: ::Booth::Mode.wrap(@onboarding.allowed_modes),
-                                             authenticator_id: @onboarding.authenticator_id.presence,
-                                             authenticator_nickname: @onboarding.authenticator_nickname.presence,
-                                             otp_provisioning_svg: @onboarding.otp_provisioning_svg,
-                                             otp_provisioning_url: @onboarding.otp_provisioning_url,
-                                             minlength: @onboarding.class.password_minlength,
-                                             passwordrules: @onboarding.class.passwordrules
+
+          Tron.success :onboarding_accessed, credential_id: onboarding.credential_id,
+                                             username: onboarding.username,
+                                             secret_key: onboarding.secret_key,
+                                             authenticator_count: onboarding.credential.registered_authenticator_ids.count,
+                                             step: :redeem
         end
 
         def secret_key

data/lib/booth/userland/onboardings/update.rb

@@ -1,66 +1,74 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Onboardings
+      # Consume an Onboarding.
       class Update
         include ::Booth::Concerns::Action
 
+        # TODO: Audit and Throttle
         def call
           request.must_be_patch!
 
-          do_find_onboarding
-            .on_success { do_check_propagation }
-            .on_success { do_transition }
+          do_find
+            .on_success { do_check_not_logged_in_as_wrong_user }
+            .on_success { do_destroy_authenticators }
+            .on_success { do_consume }
         end
 
         private
 
-        def do_find_onboarding
-          finding = ::Booth::Onboardings::Find.call(secret_key: params[:id])
-          return finding if finding.failure?
+        attr_accessor :onboarding
+
+        def do_find
+          finding = ::Booth::Core::Onboardings::Find.call(domain: request.host,
+                                                          scope:,
+                                                          secret_key:,
+                                                          consumed: false)
+
+          if finding.success?
+            self.onboarding = finding.onboarding
+            return finding
+          end
 
-          @onboarding = finding.onboarding
-          finding
+          Tron.failure(finding.failure, public_message: finding.try(:public_message))
         end
 
-        def do_check_propagation
-          return Tron.success :not_yet_propagated unless @onboarding.propagated?
+        def do_check_not_logged_in_as_wrong_user
+          if request.authentication.logged_out? ||
+             request.authentication.logged_in_as?(credential: onboarding.credential)
 
-          Tron.failure :already_propagated
+            return Tron.success :not_logged_in_as_wrong_user
+          end
+
+          log { "Cannot onboard #{onboarding.username} because #{request.authentication.username}" }
+          Tron.failure :wrong_user_logged_in
         end
 
-        def initialize_transition
-          transition.call(onboarding: @onboarding, request:)
+        def do_destroy_authenticators
+          onboarding.credential.authenticators.each do |authenticator|
+            authenticator.destroy!
+            log { "Destroyed authenticator #{authenticator.id} of credential #{onboarding.credential.id}" }
+          end
+
+          Tron.success :authenticators_destroyed
         end
 
-        def after_transition
-          @onboarding.reload # Ensure the onboarding instance is in an invalid state after a failed update attempt.
-          debug { "Onboarding updated, now in step #{@onboarding.step}" }
-          return unless @onboarding.completed?
+        def do_consume
+          onboarding.update! consumed_at: Time.current
+          log { "Consumed Onboarding #{onboarding.id} of Credential #{onboarding.credential_id}" }
 
-          ::Booth::Onboardings::PropagateToCredential.call(@onboarding, ip: request.ip, agent: request.agent)
-          # The `CreateRegistration` flow may already have logged you in.
-          return if request.authentication.logged_in?
+          ::Booth::Core::Sessions::CreateAndLogin.call(domain: request.host,
+                                                       scope:,
+                                                       credential: onboarding.credential,
+                                                       request:)
 
-          debug { 'Nobody is logged in, so this Onboarding was without prior self-registration. Logging you in now...'}
-          ::Booth::Sessions::CreateAndLogin.call(credential: @onboarding.credential, request:)
+          Tron.success :onboarding_consumed
         end
 
-        def transitions # rubocop:disable Metrics/MethodLength
-          [
-            ::Booth::Userland::Onboardings::Transitions::Update::ChooseMode,
-            ::Booth::Userland::Onboardings::Transitions::Update::ChoosePassword,
-            ::Booth::Userland::Onboardings::Transitions::Update::ChooseWebauthNickname,
-            ::Booth::Userland::Onboardings::Transitions::Update::ConfirmOtp,
-            ::Booth::Userland::Onboardings::Transitions::Update::ConfirmPassword,
-            ::Booth::Userland::Onboardings::Transitions::Update::RegisterOtp,
-            ::Booth::Userland::Onboardings::Transitions::Update::ResetOtp,
-            ::Booth::Userland::Onboardings::Transitions::Update::ResetPassword,
-            ::Booth::Userland::Onboardings::Transitions::Update::ResetWebauth,
-            ::Booth::Userland::Onboardings::Transitions::Update::WebauthAuthenticationInitiation,
-            ::Booth::Userland::Onboardings::Transitions::Update::WebauthAuthenticationVerification,
-            ::Booth::Userland::Onboardings::Transitions::Update::WebauthRegistrationInitiation,
-            ::Booth::Userland::Onboardings::Transitions::Update::WebauthRegistrationVerification,
-          ]
+        def secret_key
+          params[:id]
         end
       end
     end

data/lib/booth/userland/registrations/create.rb

@@ -1,46 +1,77 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Registrations
+      # User posts a form to self-register a new username.
       class Create
         include ::Booth::Concerns::Action
 
-        option :allowed_modes
-
         def call
           request.must_be_post!
 
-          debug { "You want to register the username #{username_param.inspect}, let's see if it is taken." }
-          finding = ::Booth::Credentials::FindByUsername.call(username: username_param)
+          do_check_domain
+            .on_success { do_check_logged_in }
+            .on_success { do_check_taken }
+            .on_success { do_create }
+        end
+
+        private
+
+        attr_accessor :domain, :username
+
+        def do_check_domain
+          check = ::Booth::Syntaxes::Domain.call(request.host)
+          self.domain = check.valid_domain
+          check
+        end
+
+        def do_check_logged_in
+          if request.authentication.logged_in?
+            log { "Looks like you're already logged in (e.g. POST from a stale form)" }
+            return Tron.failure :already_logged_in
+          end
+
+          Tron.success :currently_not_logged_in
+        end
+
+        def do_check_taken # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
+          log { "You want to register the username #{username_param.inspect}, let's see if taken." }
+          finding = ::Booth::Core::Credentials::FindByUsername.call(username: username_param)
+          self.username = finding.normalized_username
           registration_storage.username = finding.normalized_invalid_username
 
           finding.on_success do
-            debug { 'That username is taken. You should try to login instead.' }
+            log { 'That username is taken. You should try to login instead.' }
             login_storage.credential_for_username = finding.credential
             public_message = I18n.t('booth.username_already_exists')
-            return Tron.success :username_exists, public_message:
+            return Tron.failure :username_exists, public_message:
           end
 
-          debug { 'That username is available.' }
+          log { 'That username is available.' }
           return finding unless finding.failure == :credential_not_found
 
-          creation = ::Booth::Credentials::CreateWithOnboarding.call(
-            username: finding.normalized_username,
-            allowed_modes:,
-            scope:
-          )
+          Tron.success :username_available
+        end
 
-          creation.on_success do
-            ::Booth::Sessions::CreateAndLogin.call(credential: creation.credential, request:)
-            return Tron.success :username_is_available, public_message: 'You have registered an account.'
-          end
+        def do_create # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
+          ::Booth::Models::Credential.transaction do
+            creation = ::Booth::Core::Credentials::Create.call(username:, scope:, domain:)
 
-          Tron.failure :registration_failed, error: creation.error
-        end
+            creation.on_success do
+              ::Booth::Core::Audit::CredentialCreated.call(credential: creation.credential,
+                                                            ip: request.ip, agent: request.agent)
+              ::Booth::Core::Sessions::CreateAndLogin.call(domain: request.host, scope:, credential: creation.credential, request:)
+              return Tron.success :username_is_available, credential_id: creation.credential.id,
+                                                          public_message: 'You have registered an account.'
+            end
 
-        private
+            Tron.failure :registration_failed, error: creation.error
+          end
+        end
 
         def username_param
-          params.require(:registration).permit(:username)[:username]
+          params.expect(registration: [:username])[:username]
         end
 
         def login_storage

data/lib/booth/userland/registrations/new.rb

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Registrations
+      # Create a Credential for yourself.
       class New
         include ::Booth::Concerns::Action
 
@@ -11,25 +14,21 @@ module Booth
           if already_logged_in?
             call_already_logged_in
           else
-            Tron.failure :choose_username, step: :choose_username, username: storage.username
+            Tron.failure(:choose_username, step: :choose_username, username: storage.username)
           end
         end
 
         private
 
         def call_already_logged_in
-          debug { "Looks like you're already logged in" }
-          Tron.success :logged_in, step: :already_logged_in
+          log { "Looks like you're already logged in" }
+          Tron.failure :logged_in, step: :already_logged_in
         end
 
         def already_logged_in?
           request.authentication.logged_in?
         end
 
-        def username
-          storage.username
-        end
-
         def storage
           request.storage.registration
         end

data/lib/booth/userland/remotes/show.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Booth
+  module Userland
+    module Remotes
+      class Show
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          log { 'You want to receive your personal remote...' }
+
+          if remote.failure?
+            log { "This credential doesn't have any remote right now." }
+            return Tron.success :no_remote, step: :no_remote
+          end
+
+          if remote.recently_responded
+            log { 'The current remote has already been responded to' }
+            return Tron.success :remote_responded, step: :remote_solved
+          end
+
+          log { 'You have a remote to respond to' }
+          Tron.success :you_can_login_remotely,
+                       ip: remote.ip,
+                       agent: remote.agent.presence,
+                       location: remote.location.presence,
+                       browser_name: remote.browser_name,
+                       platform_name: remote.platform_name,
+                       browser_image_path: remote.browser_image_path,
+                       platform_image_path: remote.platform_image_path,
+                       step: :remote_login
+        end
+
+        private
+
+        def credential
+          return @credential if defined?(@credential)
+
+          id = request.authentication.credential_id
+          @credential = ::Booth::Models::Credential.find_by(id:)
+        end
+
+        def remote
+          return unless credential
+          return @remote if defined?(@remote)
+
+          @remote = ::Booth::Core::Remotes::Get.call(credential_id: credential.id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/{personal_contests → remotes}/update.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
-    module PersonalContests
+    module Remotes
       class Update
         include ::Booth::Concerns::Action
 
@@ -18,12 +20,12 @@ module Booth
         end
 
         def do_respond
-          ::Booth::Contests::Respond.call(scope:, contest: credential.contest, request:)
+          ::Booth::Core::Remotes::Respond.call(scope:, remote: credential.remote, request:)
         end
 
         private
 
-        delegate :contest, to: :credential, private: true
+        delegate :remote, to: :credential, private: true
 
         def credential
           return @credential if defined?(@credential)

data/lib/booth/userland/sessions/destroy_one_or_other.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Sessions
@@ -14,25 +16,10 @@ module Booth
         private
 
         def transitions
-          if request.authentication.mode == :username_and_webauth
-            webauth_transitions
-          else
-            password_transitions
-          end
-        end
-
-        def webauth_transitions
           [
             ::Booth::Userland::Sessions::Transitions::Destroy::EnterWebauth,
             ::Booth::Userland::Sessions::Transitions::Destroy::WebauthAuthenticationInitiation,
-            ::Booth::Userland::Sessions::Transitions::Destroy::WebauthAuthenticationVerification,
-          ]
-        end
-
-        def password_transitions
-          [
-            ::Booth::Userland::Sessions::Transitions::Destroy::EnterPassword,
-            ::Booth::Userland::Sessions::Transitions::Destroy::VerifyPassword,
+            ::Booth::Userland::Sessions::Transitions::Destroy::WebauthAuthenticationVerification
           ]
         end
       end

data/lib/booth/userland/sessions/index.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Sessions
@@ -14,8 +16,8 @@ module Booth
         private
 
         def do_fetch_sessions
-          ::Booth::Sessions::Index.call credential_id: authentication.credential_id,
-                                        current_session_id: authentication.session_id
+          ::Booth::Core::Sessions::Index.call credential_id: authentication.credential_id,
+                                              current_session_id: authentication.session_id
         end
 
         def authentication

data/lib/booth/userland/sessions/show.rb

@@ -1,10 +1,13 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Sessions
       # `DELETE /sessions/123` may present a page with a WebAuth authentication challenge.
       # That challenge is responded to asynchronously and in that response the server destroys the session.
       # After that, the page is reloaded by JS using `GET /sessions/123`, which is the `show` action.
-      # But we don't actually have a show action for sessions. We just informatively redirect to the index action.
+      # But we don't actually have a show action for sessions. We just redirect to the index action
+      # with an informative flash message that the session was now deleted.
       class Show
         include ::Booth::Concerns::Action
 
@@ -13,11 +16,7 @@ module Booth
           request.must_be_html!
           request.must_be_logged_in!
 
-          unless request.authentication.mode == :username_and_webauth
-            return Tron.failure :only_applicable_when_passwordless
-          end
-
-          ::Booth::Userland::Sessions::Transitions::Show::EnterWebauth.call request:
+          ::Booth::Userland::Sessions::Transitions::Show::EnterWebauth.call request:, scope:
         end
 
         private

data/lib/booth/userland/sessions/transitions/destroy/enter_webauth.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Sessions
@@ -13,13 +15,13 @@ module Booth
             def call
               if sudo.webauth?
                 if session_id_param
-                  debug { 'Having webauth sudo, revoking the desired session...' }
-                  return ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
-                                                        session_id: session_id_param
+                  log { 'Having webauth sudo, revoking the desired session...' }
+                  return ::Booth::Core::Sessions::Revoke.call credential_id: authentication.credential_id,
+                                                              session_id: session_id_param
                 else
-                  debug { 'Having webauth sudo, revoking all other sessions...' }
-                  return ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
-                                                                 surviving_session_id: authentication.session_id
+                  log { 'Having webauth sudo, revoking all other sessions...' }
+                  return ::Booth::Core::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
+                                                                       surviving_session_id: authentication.session_id
                 end
               end
 

data/lib/booth/userland/sessions/transitions/destroy/webauth_authentication_initiation.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Sessions
@@ -7,17 +9,17 @@ module Booth
             include ::Booth::Concerns::Transition
 
             def self.applicable?(params:)
-              params[:webauth] && !params[:type]
+              params[:webauth] && !params.key?(:handshake)
             end
 
             def call
-              debug { 'Preparing webauth challenge...' }
+              log { 'Preparing webauth challenge...' }
               credential = ::Booth::Models::Credential.find(authentication.credential_id)
-              challenging = Booth::Credentials::WebauthChallenge.call(credential:)
-              result = Tron.success :webauth_for_you, public_json: challenging.options_for_get, http_status: :ok
-              debug { "The challenge is #{challenging.challenge}" }
+              challenging = Booth::Core::Credentials::WebauthChallenge.call(credential:, request:)
+              result = Tron.success :webauth_for_you, public_json: challenging.options_for_get, http_status: :created
+              log { "The challenge is #{challenging.challenge}" }
               sudo.webauthn_challenge = challenging.challenge
-              debug { "Responding with JSON: #{result.public_json}" }
+              log { "Responding with JSON: #{result.public_json}" }
               result
             end
 

data/lib/booth/userland/sessions/transitions/destroy/webauth_authentication_verification.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Sessions
@@ -7,7 +9,7 @@ module Booth
             include ::Booth::Concerns::Transition
 
             def self.applicable?(params:)
-              params[:webauth] && params[:type]
+              params[:webauth] && params[:handshake]&.key?(:type)
             end
 
             def call
@@ -20,12 +22,12 @@ module Booth
             def do_find_challenge
               return Tron.success :challenge_ongoing if sudo.webauthn_challenge.present?
 
-              debug { 'There is no corresponding challenge in the session' }
+              log { 'There is no corresponding challenge in the session' }
               Tron.failure :no_session_challenge, public_json: {}, http_status: :unprocessable_entity
             end
 
             def do_check_webauth
-              verification = ::Booth::Webauth::AuthenticationVerification.call(
+              verification = ::Booth::Core::Webauth::AuthenticationVerification.call(
                 request:,
                 credential_id: authentication.credential_id,
                 challenge: sudo.webauthn_challenge
@@ -33,10 +35,10 @@ module Booth
               return verification if verification.failure?
 
               if session_id_param
-                ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
+                ::Booth::Core::Sessions::Revoke.call credential_id: authentication.credential_id,
                                                session_id: session_id_param
               else
-                ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
+                ::Booth::Core::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
                                                         surviving_session_id: authentication.session_id
               end