booth 0.0.1 → 0.0.2

data/lib/booth/userland/sessions/transitions/show/enter_webauth.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Sessions
@@ -13,13 +15,13 @@ module Booth
             def call
               if sudo.webauth?
                 if session_id_param
-                  debug { 'Having webauth sudo, revoking the desired session...' }
-                  return ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
-                                                        session_id: session_id_param
+                  log { 'Having webauth sudo, revoking the desired session...' }
+                  return ::Booth::Core::Sessions::Revoke.call credential_id: authentication.credential_id,
+                                                              session_id: session_id_param
                 else
-                  debug { 'Having webauth sudo, revoking all other sessions...' }
-                  return ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
-                                                                 surviving_session_id: authentication.session_id
+                  log { 'Having webauth sudo, revoking all other sessions...' }
+                  return ::Booth::Core::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
+                                                                       surviving_session_id: authentication.session_id
                 end
               end
 

data/lib/booth/userland/webauths/create.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
@@ -8,8 +10,7 @@ module Booth
           request.must_be_post!
           request.must_be_logged_in!
 
-          ::Booth::Userland::Webauths::Guards::Manageable.call(credential:) { return _1 }
-          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return _1 }
+          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return it }
 
           do_ensure_authenticator
             .on_success { do_require_editable_authentictor }
@@ -25,20 +26,32 @@ module Booth
           authenticator = credential.authenticators.find_or_initialize_by(device_id: nil)
           authenticator.generate_webauth_id
 
-          webauth = ::Booth::Webauth::OptionsForCreate.call(
+          webauth = ::Booth::Core::Webauth::OptionsForCreate.call(
             webauthn_id: authenticator.generate_webauth_id,
+            device_ids_to_exclude: credential.registered_authenticator_ids,
             username: credential.username,
-            requires_user_verification: enforce_user_verification?
+            request:,
           )
 
           authenticator.challenge = webauth.challenge
+          authenticator.rp_id = webauth.relying_party_id
 
           if authenticator.save
             storage.authenticator_id = authenticator.id
-            return Tron.success :authenticator_created if storage.authenticator
+          else
+            public_message = "Authenticator creation failed: #{authenticator.errors.to_a.to_sentence}"
+            log { public_message }
+            return Tron.failure :authenticator_persistence_failed,
+                                public_json: { public_message: },
+                                http_status: :internal_server_error
           end
 
-          Tron.failure :authenticator_creation_failed
+          if storage.authenticator
+            Tron.success :authenticator_created
+          else
+            log { 'Authenticator Cookie persistence failed' }
+            Tron.failure :authenticator_creation_failed
+          end
         end
 
         def do_require_editable_authentictor
@@ -56,20 +69,10 @@ module Booth
             ::Booth::Userland::Webauths::Transitions::Create::ChooseNickname,
             ::Booth::Userland::Webauths::Transitions::Create::RegistrationInitiation,
             ::Booth::Userland::Webauths::Transitions::Create::RegistrationVerification,
-            ::Booth::Userland::Webauths::Transitions::Create::Reset,
+            ::Booth::Userland::Webauths::Transitions::Create::Reset
           ]
         end
 
-        # When switching from with-password login to passwordless,
-        # we need to enable a way to add user-verifiable webauth tokens,
-        # even though we are currently not passwordless. That's what the param is for.
-        def enforce_user_verification?
-          ::Booth::Webauth::DemandUserVerification.call(
-            credential:,
-            force: request.params[:enforce_user_verification].present?
-          )
-        end
-
         def storage
           request.storage.webauth
         end

data/lib/booth/userland/webauths/destroy.rb

@@ -1,27 +1,29 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
       class Destroy
         include ::Booth::Concerns::Action
 
+        option :domain
+
         def call
           request.must_be_delete!
           request.must_be_html!
           request.must_be_logged_in!
 
-          ::Booth::Userland::Webauths::Guards::Manageable.call(credential:) { return _1 }
-          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return _1 }
+          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return it }
 
           do_require_eligible_credential
             .on_success { do_find_authenticator }
             .on_success { do_destroy_authenticator }
-            .on_success { do_update_credential }
         end
 
         private
 
         def do_require_eligible_credential
-          return Tron.success :can_remove_webauth if ::Booth::Credentials::Modes::WebauthRemovable.call(credential)
+          return Tron.success :can_remove_webauth if credential.authenticators.many?
 
           Tron.failure :credential_not_webauth_removable, public_message: I18n.t('booth.webauth_irremovable')
         end
@@ -39,18 +41,6 @@ module Booth
           Tron.failure :could_not_remove_authenticator, public_message: I18n.t('booth.authenticator_removal_failed')
         end
 
-        def do_update_credential
-          if credential.authenticators.present?
-            return Tron.success(:some_authenticator_removed, public_message: I18n.t('booth.some_authenticator_removed'))
-          end
-
-          if credential.mode_username_and_password!
-            return Tron.success :webauth_removed, public_message: I18n.t('booth.webauth_removed')
-          end
-
-          raise "Could not switch Credential #{credential.id} to `username_and_password`: #{credential.errors.to_a}"
-        end
-
         def credential
           @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
         end

data/lib/booth/userland/webauths/guards/sudo.rb

@@ -1,19 +1,24 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
       module Guards
         class Sudo
-          include ::Booth::MethodObject
+          include Calls
+          include ::Booth::Logging
 
           option :request
           option :credential
 
           def call
-            return if credential.mode_first_time?
-            return if credential.mode_username_and_password?
-            return if credential.mode_username_password_and_otp?
+            if credential.authenticators.registered_scope.none?
+              log { 'You have no registered Authenticators, not requiring sudo of you' }
+              return
+            end
 
-            request.sudo.guard_with_webauth { yield _1 }
+            log { 'You have registered Authenticators, not requiring sudo of you' }
+            request.sudo.guard_with_webauth { yield it }
           end
         end
       end

data/lib/booth/userland/webauths/index.rb

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
+      # Lists all currently registered Passkeys for the logged in user.
       class Index
         include ::Booth::Concerns::Action
 
@@ -9,7 +12,6 @@ module Booth
           request.must_be_html!
           request.must_be_logged_in!
 
-          ::Booth::Userland::Webauths::Guards::Manageable.call(credential:) { return _1 }
           ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return _1 }
 
           do_index
@@ -29,7 +31,7 @@ module Booth
             ::Booth::ToStruct.call(
               authenticator.attributes
                            .symbolize_keys
-                           .slice(:id, :confirmed_at, :nickname, :supports_user_verification)
+                           .slice(:id, :confirmed_at, :nickname)
             )
           end
         end

data/lib/booth/userland/webauths/new.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
@@ -9,8 +11,6 @@ module Booth
           request.must_be_html!
           request.must_be_logged_in!
 
-          ::Booth::Userland::Webauths::Guards::Manageable.call(credential:) { return _1 }
-
           # This check must come before the Sudo requirement.
           if authenticator&.confirmed?
             return Tron.success :completed, step: :completed,
@@ -18,7 +18,7 @@ module Booth
                                             should_add_more_authenticators: should_add_more_authenticators?
           end
 
-          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return _1 }
+          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return it }
 
           do_new
         end
@@ -26,12 +26,10 @@ module Booth
         private
 
         def do_new
-          debug { "WebAuthn Authenticator registration in step #{step}" }
-          # debug { authenticator.inspect }
+          log { "WebAuthn Authenticator registration in step #{step}" }
+          # log { authenticator.inspect }
 
-          Tron.success :add_webauth, step:,
-                                     nickname: authenticator&.nickname,
-                                     enforce_user_verification: enforce_user_verification?
+          Tron.success :add_webauth, step:, nickname: authenticator&.nickname
         end
 
         def step
@@ -41,20 +39,7 @@ module Booth
         end
 
         def should_add_more_authenticators?
-          return true if credential.authenticators.registered_scope.count < 2
-          return false unless request.authentication.mode == :username_and_webauth
-
-          credential.authenticators.registered_scope.supports_user_verification_scope.count < 2
-        end
-
-        # When switching from with-password login to passwordless,
-        # we need to enable a way to add user-verifiable webauth tokens,
-        # even though we are currently not passwordless. That's what the param is for.
-        def enforce_user_verification?
-          ::Booth::Webauth::DemandUserVerification.call(
-            credential:,
-            force: params[:enforce_user_verification].present?
-          )
+          credential.authenticators.registered_scope.count < 2
         end
 
         def authenticator

data/lib/booth/userland/webauths/sudo.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
@@ -16,7 +18,7 @@ module Booth
         def transitions
           [
             ::Booth::Userland::Webauths::Transitions::Sudo::AuthenticationInitiation,
-            ::Booth::Userland::Webauths::Transitions::Sudo::AuthenticationVerification,
+            ::Booth::Userland::Webauths::Transitions::Sudo::AuthenticationVerification
           ]
         end
       end

data/lib/booth/userland/webauths/transitions/create/authentication_initiation.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
@@ -7,7 +9,7 @@ module Booth
             include ::Booth::Concerns::Transition
 
             def self.applicable?(params:)
-              params.key?(:test) && !params&.key?(:webauth)
+              params.key?(:test) && !params&.key?(:handshake)
             end
 
             def call
@@ -17,15 +19,16 @@ module Booth
             private
 
             def do_challenge
-              webauth = ::Booth::Webauth::OptionsForGet.call(
+              webauth = ::Booth::Core::Webauth::OptionsForGet.call(
                 allowed_device_ids: authenticator.device_id,
-                requires_user_verification: enforce_user_verification?
+                request:,
               )
 
-              debug { "Remembering test challenge #{webauth.challenge.inspect}" }
+              log { "Remembering test challenge #{webauth.challenge.inspect}" }
 
               if authenticator.update challenge: webauth.challenge
-                Tron.success :test_challenge_created, public_json: webauth.as_json, http_status: :created
+                Tron.success :test_challenge_created, public_json: webauth.as_json,
+                                                      http_status: :created
               else
                 Tron.failure :storing_test_challenge_failed
               end
@@ -38,12 +41,6 @@ module Booth
             def credential
               @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
             end
-
-            # I.e. modes `first_time` and `username_and_webauth`.
-            # TODO: Also when force-adding an authenticator for removing a password.
-            def enforce_user_verification?
-              !credential.passworded?
-            end
           end
         end
       end

data/lib/booth/userland/webauths/transitions/create/authentication_verification.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
@@ -7,7 +9,7 @@ module Booth
             include ::Booth::Concerns::Transition
 
             def self.applicable?(params:)
-              params.key?(:test) && params[:webauth].key?(:rawId)
+              params.key?(:test) && params[:handshake].key?(:rawId)
             end
 
             def call
@@ -20,20 +22,16 @@ module Booth
             private
 
             def do_verify_response
-              debug { 'Verifying challenge...' }
-              # TODO: Replate with ::Booth::Webauth::AuthenticationVerification
-              webauth.verify(authenticator.challenge,
-                             public_key: authenticator.public_key,
-                             sign_count: authenticator.sign_count)
-
-              Tron.success :challenge_response_correct
-            rescue WebAuthn::Error => e
-              debug { "Webauth Handshake failed: #{e.message}" }
-              Tron.failure :invalid_challenge_response
+              log { 'Verifying challenge...' }
+              ::Booth::Core::Webauth::AuthenticationVerification.call(
+                request:,
+                credential_id: authenticator.credential.id,
+                challenge: authenticator.challenge,
+              )
             end
 
             def do_persist_confirmation
-              confirmation = ::Booth::Authenticators::Confirm.call(authenticator:,
+              confirmation = ::Booth::Core::Authenticators::Confirm.call(authenticator:,
                                                                    sign_count: webauth.sign_count)
 
               if confirmation.success?
@@ -50,7 +48,7 @@ module Booth
             end
 
             def webauth_params
-              params.require(:webauth).permit!
+              params.require(:handshake).permit!
             end
 
             def authenticator

data/lib/booth/userland/webauths/transitions/create/choose_nickname.rb

@@ -1,8 +1,11 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
       module Transitions
         module Create
+          # User submits form to set custom name for a registered Passkey.
           class ChooseNickname
             include ::Booth::Concerns::Transition
 
@@ -20,27 +23,27 @@ module Booth
             def do_check_blank_nickname
               return Tron.success :nickname_is_present if nickname_param.present?
 
-              debug { 'The nickname was blank' }
+              log { 'The nickname was blank' }
               Tron.failure :nickname_is_blank, public_message: I18n.t('booth.blank_nickname')
             end
 
             def do_update_authenticator
               if authenticator.update nickname: nickname_param
-                debug { 'The nickname successfully changed' }
+                log { 'The nickname successfully changed' }
                 Tron.success :nickname_saved
               else
                 public_message = authenticator.errors.to_a.to_sentence
-                debug { "The nickname could not be updated: #{public_message}" }
+                log { "The nickname could not be updated: #{public_message}" }
                 Tron.failure :nickname_failed, public_message:
               end
             end
 
             def nickname_param
-              params.require(:webauth).permit(:nickname)[:nickname]
+              params.expect(webauth: [:nickname])[:nickname]
             end
 
             def authenticator
-              request.storage.webauth.authenticator
+              @authenticator ||= request.storage.webauth.authenticator
             end
           end
         end

data/lib/booth/userland/webauths/transitions/create/registration_initiation.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
@@ -7,7 +9,7 @@ module Booth
             include ::Booth::Concerns::Transition
 
             def self.applicable?(params:)
-              params&.key?(:register) && !params&.key?(:webauth)
+              params&.key?(:register) && !params&.key?(:handshake)
             end
 
             def call
@@ -18,16 +20,17 @@ module Booth
             private
 
             def do_require_authenticator
-              return Tron.success :authenticator_waiting_for_registration if storage.authenticator.step == :register
+              if storage.authenticator.step == :register
+                return Tron.success :authenticator_waiting_for_registration
+              end
 
               Tron.failure :authenticator_not_registerable
             end
 
             def do_challenge
-              debug { "Remembering registration challenge #{webauth.challenge.inspect}" }
+              log { "Remembering registration challenge #{webauth.challenge.inspect}" }
 
-              if storage.authenticator.update challenge: webauth.challenge,
-                                              supports_user_verification: enforce_user_verification?
+              if storage.authenticator.update challenge: webauth.challenge
                 return Tron.success :registration_challenge_created, public_json: webauth.as_json,
                                                                      http_status: :created
               end
@@ -36,23 +39,21 @@ module Booth
             end
 
             def webauth
-              @webauth ||= ::Booth::Webauth::OptionsForCreate.call(
+              @webauth ||= ::Booth::Core::Webauth::OptionsForCreate.call(
                 webauthn_id: storage.authenticator.webauthn_id,
+                device_ids_to_exclude: credential.registered_authenticator_ids,
                 username: storage.authenticator.credential.username,
-                requires_user_verification: enforce_user_verification?
-              )
-            end
-
-            def enforce_user_verification?
-              ::Booth::Webauth::DemandUserVerification.call(
-                credential: storage.authenticator.credential,
-                force: request.params[:enforce_user_verification].present?
+                request:,
               )
             end
 
             def storage
               request.storage.webauth
             end
+
+            def credential
+              @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+            end
           end
         end
       end

data/lib/booth/userland/webauths/transitions/create/registration_verification.rb

@@ -1,13 +1,17 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
       module Transitions
         module Create
+          # Controller Transition to verify and persist a new hardware key.
           class RegistrationVerification
             include ::Booth::Concerns::Transition
+            include ::Booth::Logging
 
             def self.applicable?(params:)
-              params&.key?(:register) && params[:webauth]&.key?(:rawId)
+              params&.key?(:register) && params[:handshake]&.key?(:rawId)
             end
 
             def call
@@ -18,47 +22,49 @@ module Booth
             private
 
             def do_verify_response
-              debug { "Verifying challenge #{authenticator.challenge.inspect}" }
-              # TODO: Replate with ::Booth::Webauth::RegistrationVerification (?)
-              webauth.verify(authenticator.challenge)
+              if credential_id != request.storage.webauth.authenticator&.credential_id
+                log { "Credential #{credential_id} does not match Authenticator #{request.storage.webauth.authenticator&.credential_id}" }
+                return Tron.failure :authenticator_credential_mismatch
+              end
 
-              Tron.success :challenge_response_correct
-            rescue WebAuthn::Error => e
-              debug { "Webauth Handshake failed: #{e.message}" }
-              Tron.failure :invalid_challenge_response
+              @verification = ::Booth::Core::Webauth::RegistrationVerification.call(credential_id:,
+                                                                              challenge:,
+                                                                              handshake:,
+                                                                              request:)
+              sudo.webauthn_challenge = nil
+              sudo.webauth! if @verification.failure?
+              @verification
             end
 
             def do_persist_keys
-              debug { "Persisting authenticator information, the sign count is now at #{webauth.sign_count}..." }
-              if authenticator.update(device_id: ::Base64.strict_encode64(webauth.raw_id),
-                                      public_key: webauth.public_key,
-                                      sign_count: webauth.sign_count)
+              log { 'Persisting onboarding-authenticator metadata' }
 
-                return Tron.success :challenge_accepted, public_json: {}, http_status: :created
+              if request.storage.webauth.authenticator.update(device_id: @verification.device_id,
+                                                              aaguid: @verification.aaguid,
+                                                              issuer: @verification.issuer,
+                                                              attachment: @verification.attachment,
+                                                              public_key: @verification.public_key,
+                                                              sign_count: @verification.sign_count)
+                # request.storage.webauth.reset
+                return Tron.success :webauth_registration_verification_successful,
+                                    public_json: {},
+                                    http_status: :created
               end
-
               Tron.failure :storing_response_failed
             end
 
-            def webauth
-              @webauth ||= ::WebAuthn::Credential.from_create(webauth_params)
-            end
+            delegate :sudo, to: :request
 
-            def webauth_params
-              params.require(:webauth).permit!
+            def credential_id
+              request.authentication.credential_id
             end
 
-            # def credential
-            #   @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-            # end
-
-            def mode_after_update
-              @mode_after_update ||= ::Booth::Webauth::ModeAfterAdd.call(credential:,
-                                                                         authenticator:)
+            def challenge
+              request.storage.webauth.authenticator&.challenge
             end
 
-            def authenticator
-              request.storage.webauth.authenticator
+            def handshake
+              request.params.require(:handshake).permit!
             end
           end
         end

data/lib/booth/userland/webauths/transitions/create/reset.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths

data/lib/booth/userland/webauths/transitions/new/step.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 # module Booth
 #   module Userland
 #     module Webauths
 #       module New
 #         class Step
-#           include ::Booth::MethodObject
+#           include Calls
 
 #           param :authenticator
 

data/lib/booth/userland/webauths/transitions/sudo/authentication_initiation.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Userland
     module Webauths
@@ -17,12 +19,12 @@ module Booth
             private
 
             def do_challenge
-              webauth = ::Booth::Webauth::OptionsForGet.call(
+              webauth = ::Booth::Core::Webauth::OptionsForGet.call(
                 allowed_device_ids: credential.registered_authenticator_ids,
-                requires_user_verification: enforce_user_verification?
+                request:,
               )
 
-              debug { "Remembering sudo challenge #{webauth.challenge.inspect}" }
+              log { "Remembering sudo challenge #{webauth.challenge.inspect}" }
 
               request.sudo.webauthn_challenge = webauth.challenge
               Tron.success :test_challenge_created, public_json: webauth.as_json,
@@ -32,13 +34,6 @@ module Booth
             def credential
               @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
             end
-
-            def enforce_user_verification?
-              ::Booth::Webauth::DemandUserVerification.call(
-                credential:,
-                force: params[:enforce_user_verification].present?
-              )
-            end
           end
         end
       end