booth 0.0.1 → 0.0.2

data/lib/booth/audits/register/correct_password.rb

@@ -1,43 +0,0 @@
-module Booth
-  module Audits
-    module Register
-      class CorrectPassword
-        include ::Booth::MethodObject
-        include ::Booth::Logging
-
-        option :credential
-        option :ip
-        option :agent
-
-        def call
-          ::Booth::Models::Audit.transaction do
-            register_attempt!
-            clear_failed_attempts!
-          end
-
-          nil
-        end
-
-        private
-
-        def register_attempt!
-          debug { "Auditing correct password for credential `#{credential.id}` and IP `#{ip}`" }
-
-          ::Booth::Models::Audit.create! credential:,
-                                         ip:,
-                                         agent:,
-                                         event: :entered_correct_password
-        end
-
-        def clear_failed_attempts!
-          debug { "Redeeming failed password attempts for credential `#{credential.id}` and IP `#{ip}`" }
-
-          ::Booth::Models::Audit.where(credential:)
-                                .where(ip:)
-                                .where(event: :entered_wrong_password)
-                                .update_all(deleted_at: Time.current) # rubocop:disable Rails/SkipsModelValidations
-        end
-      end
-    end
-  end
-end

data/lib/booth/audits/register/logout.rb

@@ -1,22 +0,0 @@
-module Booth
-  module Audits
-    module Register
-      class Logout
-        include ::Booth::MethodObject
-
-        option :credential
-        option :ip
-        option :agent
-
-        def call
-          ::Booth::Models::Audit.create! credential: credential,
-                                         ip: ip,
-                                         agent: agent,
-                                         event: :logout
-
-          nil
-        end
-      end
-    end
-  end
-end

data/lib/booth/audits/register/requested_password_reset.rb

@@ -1,22 +0,0 @@
-module Booth
-  module Audits
-    module Register
-      class RequestedPasswordReset
-        include ::Booth::MethodObject
-
-        option :credential
-        option :ip
-        option :agent
-
-        def call
-          ::Booth::Models::Audit.create! credential: credential,
-                                         ip: ip,
-                                         agent: agent,
-                                         event: :requested_password_reset
-
-          nil
-        end
-      end
-    end
-  end
-end

data/lib/booth/audits/register/wrong_otp.rb

@@ -1,22 +0,0 @@
-module Booth
-  module Audits
-    module Register
-      class WrongOtp
-        include ::Booth::MethodObject
-
-        option :credential
-        option :ip
-        option :agent
-
-        def call
-          ::Booth::Models::Audit.create! credential: credential,
-                                         ip: ip,
-                                         agent: agent,
-                                         event: :entered_wrong_otp
-
-          nil
-        end
-      end
-    end
-  end
-end

data/lib/booth/audits/register/wrong_password.rb

@@ -1,25 +0,0 @@
-module Booth
-  module Audits
-    module Register
-      class WrongPassword
-        include ::Booth::MethodObject
-        include ::Booth::Logging
-
-        option :credential
-        option :ip
-        option :agent
-
-        def call
-          debug { 'Auditing wrong password...' }
-
-          ::Booth::Models::Audit.create! credential: credential,
-                                         ip: ip,
-                                         agent: agent,
-                                         event: :entered_wrong_password
-
-          nil
-        end
-      end
-    end
-  end
-end

data/lib/booth/authenticators/confirm.rb

@@ -1,34 +0,0 @@
-module Booth
-  module Authenticators
-    class Confirm
-      include ::Booth::MethodObject
-      include ::Booth::Logging
-
-      option :authenticator
-      option :sign_count
-
-      def call
-        raise 'Authenticator is already confirmed' if authenticator.confirmed_at
-
-        debug { 'Confirming Authenticator...' }
-        authenticator.transaction do
-          authenticator.update! sign_count: sign_count,
-                                confirmed_at: Time.current
-
-          authenticator.credential.update! mode: new_mode
-        end
-
-        Tron.success :confirmation_successful
-      rescue ActiveRecord::ActiveRecordError => e
-        error { e }
-        Tron.failure :confirmation_failed
-      end
-
-      private
-
-      def new_mode
-        ::Booth::Authenticators::CredentialModeAfterConfirmation.call(authenticator:)
-      end
-    end
-  end
-end

data/lib/booth/authenticators/credential_mode_after_confirmation.rb

@@ -1,25 +0,0 @@
-module Booth
-  module Authenticators
-    class CredentialModeAfterConfirmation
-      include ::Booth::MethodObject
-
-      option :authenticator
-
-      def call
-        return :username_and_webauth if credential.mode_username_and_webauth?
-        return :username_password_and_webauth if credential.mode_username_password_and_webauth?
-
-        return :username_and_webauth if credential.mode_first_time? &&
-                                        authenticator.supports_user_verification?
-
-        return :username_password_and_webauth if credential.mode_username_and_password? ||
-                                                 credential.mode_username_password_and_otp?
-
-        raise "Cannot add webauth for credential #{credential.id} with mode #{credential.mode} " \
-              "and authenticator #{authenticator.id} (user verification: #{authenticator.supports_user_verification?})"
-      end
-
-      delegate :credential, to: :authenticator
-    end
-  end
-end

data/lib/booth/authenticators/step.rb

@@ -1,19 +0,0 @@
-module Booth
-  module Authenticators
-    class Step
-      include ::Booth::MethodObject
-
-      param :authenticator
-
-      def call
-        return :register if authenticator.device_id.blank? ||
-                            authenticator.public_key.blank? ||
-                            authenticator.sign_count.blank?
-        return :choose_nickname if authenticator.nickname.blank?
-        return :confirm if authenticator.confirmed_at.blank?
-
-        :completed
-      end
-    end
-  end
-end

data/lib/booth/contests/get.rb

@@ -1,36 +0,0 @@
-module Booth
-  module Contests
-    class Get
-      include ::Booth::Logging
-      include ::Booth::MethodObject
-
-      option :credential_id
-
-      def call
-        return Tron.failure :contest_not_found unless contest
-
-        Tron.success :found_recent_contest,
-                     formatted_code: contest.formatted_code,
-                     normalized_code: contest.code,
-                     reason: contest.reason.to_sym,
-                     ip: contest.ip,
-                     agent: contest.agent.presence,
-                     location: contest.location.presence,
-                     recently_responded: contest.recently_responded?,
-                     browser_name: contest.browser_name,
-                     platform_name: contest.platform_name,
-                     browser_image_path: contest.browser_image_path,
-                     platform_image_path: contest.platform_image_path
-      end
-
-      private
-
-      def contest
-        return @contest if defined?(@contest)
-
-        @contest = ::Booth::Models::Contest.recently_created_scope
-                                           .find_by(credential_id:)
-      end
-    end
-  end
-end

data/lib/booth/contests/respond.rb

@@ -1,78 +0,0 @@
-module Booth
-  module Contests
-    class Respond
-      include ::Booth::Logging
-      include ::Booth::MethodObject
-
-      option :scope
-      option :contest
-      option :request
-
-      def call
-        do_find_contest
-          .on_success { do_check_timeout }
-          .on_success { do_check_scope }
-          .on_success { do_check_already_responded }
-          .on_success { do_check_code_syntax }
-          .on_success { do_respond }
-      end
-
-      private
-
-      delegate :credential, to: :contest, private: true
-
-      def do_find_contest
-        return Tron.success :contest_exists if contest
-
-        Tron.failure :missing_contest
-      end
-
-      def do_check_timeout
-        return Tron.success :contested_recently if contest.recently_created?
-
-        debug { 'This contest timed out' }
-        Tron.failure :contest_timed_out,
-                     lifespan: contest.lifespan,
-                     public_message: I18n.t('booth.contest_timed_out', lifespan_minutes: contest.lifespan.seconds / 60)
-      end
-
-      def do_check_scope
-        ::Booth::Syntaxes::ScopeComparison.call this: scope, that: credential.scope
-      end
-
-      def do_check_already_responded
-        return Tron.success :ok_waiting_for_response if contest.responded_at.blank?
-
-        debug { "This contest has already been responded to #{contest.responded_at.inspect}" }
-        Tron.failure :already_responded, public_message: I18n.t('booth.already_responded_to_contest')
-      end
-
-      def do_check_code_syntax
-        check = ::Booth::Syntaxes::ContestCode.call(code_param)
-
-        check.on_success do
-          @normalized_code = check.normalized_contest_code
-        end
-
-        check
-      end
-
-      def do_respond
-        return Tron.failure :no_response_needed unless contest.reason.to_sym == :login
-
-        if @normalized_code == contest.code
-          debug { "The code #{@normalized_code} was accepted, persisting positive response..." }
-          contest.update!(responded_at: Time.current)
-          return Tron.success :response_code_accepted,
-                              public_message: I18n.t('booth.contest_response_accepted')
-        end
-
-        Tron.failure :wrong_code, public_message: I18n.t('booth.wrong_response_code')
-      end
-
-      def code_param
-        request.params.require(:response).permit(:code)[:code]
-      end
-    end
-  end
-end

data/lib/booth/contests/set_for_login.rb

@@ -1,28 +0,0 @@
-module Booth
-  module Contests
-    class SetForLogin
-      include ::Booth::Logging
-      include ::Booth::MethodObject
-
-      option :credential_id
-      option :request
-
-      def call
-        contest = nil
-
-        ::Booth::Models::ApplicationRecord.transaction do
-          ::Booth::Models::Contest.where(credential_id:).delete_all
-
-          contest = ::Booth::Models::Contest.create!(
-            credential_id:,
-            reason: :login,
-            ip: request.ip,
-            agent: request.agent
-          )
-        end
-
-        Tron.success :contest_created, contest:
-      end
-    end
-  end
-end

data/lib/booth/cooldowns/distance_of_time.rb

@@ -1,46 +0,0 @@
-module Booth
-  module Cooldowns
-    class DistanceOfTime
-      include ::Booth::MethodObject
-
-      option :from
-      option :till
-
-      def call
-        result = []
-        result.push("#{distance_in_hours} h") if show_hours?
-        result.push("#{distance_in_minutes} min") if show_minutes?
-        result.push("#{distance_in_seconds} s") if show_seconds?
-        result.join(' ')
-      end
-
-      def show_hours?
-        distance_in_hours.positive?
-      end
-
-      def show_minutes?
-        return false if (((till - from).abs % 3600) / 60) < 1
-
-        distance_in_minutes.nonzero?
-      end
-
-      def show_seconds?
-        return true if distance_in_seconds < 60
-
-        distance_in_hours.zero? && distance_in_minutes.zero?
-      end
-
-      def distance_in_hours
-        ((till - from).abs / 3600).floor
-      end
-
-      def distance_in_minutes
-        (((till - from).abs % 3600) / 60).round
-      end
-
-      def distance_in_seconds
-        (till - from).abs.round
-      end
-    end
-  end
-end

data/lib/booth/cooldowns/otp.rb

@@ -1,22 +0,0 @@
-module Booth
-  module Cooldowns
-    class Otp
-      include ::Booth::MethodObject
-
-      option :credential
-
-      def call
-        ::Booth::Cooldowns::Strategies::Global.call scope:,
-                                                    max_attempts: 10
-      end
-
-      private
-
-      def scope
-        ::Booth::Models::Audit.visible_scope
-                              .event_entered_wrong_otp
-                              .where(credential:)
-      end
-    end
-  end
-end

data/lib/booth/cooldowns/password.rb

@@ -1,44 +0,0 @@
-module Booth
-  module Cooldowns
-    class Password
-      include ::Booth::MethodObject
-
-      option :ip
-      option :credential
-
-      def call
-        # No limit for logins where hardware tokens are required.
-        return Tron.success :cool_for_webauth if credential.mode_username_and_webauth?
-        return Tron.success :cool_for_password_and_webauth if credential.mode_username_password_and_webauth?
-
-        if credential.mode_username_password_and_otp?
-          do_check_exponentially
-        else
-          do_check_globally
-        end
-      end
-
-      private
-
-      def do_check_exponentially
-        ::Booth::Cooldowns::Strategies::Exponential.call scope: base_scope
-      end
-
-      def do_check_globally
-        ::Booth::Cooldowns::Strategies::Global.call scope: ip_range_scope, max_attempts: 10
-      end
-
-      # Scopes
-
-      def ip_range_scope
-        base_scope.where('ip << ?', "#{ip}/24")
-      end
-
-      def base_scope
-        ::Booth::Models::Audit.visible_scope
-                              .event_entered_wrong_password
-                              .where(credential:)
-      end
-    end
-  end
-end

data/lib/booth/cooldowns/password_reset.rb

@@ -1,24 +0,0 @@
-module Booth
-  module Cooldowns
-    # Throttles how often you can generate a password reset link.
-    # Note that this does not reveal whether we know the email address or not,
-    # because it throttles the attempts per Credential (i.e. username).
-    class PasswordReset
-      include ::Booth::MethodObject
-
-      option :credential
-
-      def call
-        ::Booth::Cooldowns::Strategies::Exponential.call scope:
-      end
-
-      private
-
-      def scope
-        ::Booth::Models::Audit.visible_scope
-                              .event_requested_password_reset
-                              .where(credential:)
-      end
-    end
-  end
-end

data/lib/booth/cooldowns/strategies/exponential.rb

@@ -1,82 +0,0 @@
-module Booth
-  module Cooldowns
-    module Strategies
-      class Exponential
-        include ::Booth::MethodObject
-        include ::Booth::Logging
-
-        option :scope
-
-        def call
-          return limit_not_yet_reached! if seconds_to_wait.zero?
-
-          limit_reached!
-        end
-
-        private
-
-        def limit_reached!
-          debug { "Wait #{seconds_to_wait}/#{waiting_period} sec for #{number_of_incidents} incidents" }
-          public_message = I18n.t('booth.try_again_cooldown', distance_of_time_until_cooldown:)
-
-          ::Booth::Cooldowns::Strategies::Result.failure(
-            public_message:,
-            attempts_left: 999_999,
-            cooldown_at:,
-            number_of_incidents:
-          )
-        end
-
-        def limit_not_yet_reached!
-          debug { 'No need to wait' }
-
-          ::Booth::Cooldowns::Strategies::Result.success(
-            public_message: nil,
-            attempts_left: 999_999,
-            number_of_incidents:
-          )
-        end
-
-        # Calculation Helpers
-
-        def cooldown_at
-          seconds_to_wait.from_now
-        end
-
-        def seconds_to_wait
-          return 0 unless newest_timestamp
-
-          candidate = newest_timestamp.to_i + waiting_period - Time.current.to_i
-          return 0 if candidate.negative?
-
-          candidate
-        end
-
-        def waiting_period
-          return 2.years if number_of_incidents > 9
-
-          # This effectively implies less than 10 attempts.
-          (5**number_of_incidents).seconds
-        end
-
-        # Queries
-
-        def number_of_incidents
-          @number_of_incidents ||= scope.count
-        end
-
-        def newest_timestamp
-          return @newest_timestamp if defined? @newest_timestamp
-
-          @newest_timestamp = scope.maximum(:created_at)
-        end
-
-        # Helpers
-
-        def distance_of_time_until_cooldown
-          ::Booth::Cooldowns::DistanceOfTime.call(from: Time.current, till: cooldown_at)
-        end
-      end
-    end
-  end
-end

data/lib/booth/cooldowns/strategies/global.rb

@@ -1,62 +0,0 @@
-module Booth
-  module Cooldowns
-    module Strategies
-      class Global
-        include ::Booth::MethodObject
-        include ::Booth::Logging
-
-        option :scope
-        option :max_attempts
-
-        def call
-          if number_of_incidents >= max_attempts
-            limit_reached!
-          else
-            limit_not_yet_reached!
-          end
-        end
-
-        private
-
-        def limit_reached!
-          debug { "Limited globally #{number_of_incidents}/#{max_attempts}" }
-
-          ::Booth::Cooldowns::Strategies::Result.failure(
-            public_message: I18n.t('booth.permanently_blocked'),
-            attempts_left:,
-            cooldown_at: nil,
-            number_of_incidents:
-          )
-        end
-
-        def limit_not_yet_reached!
-          debug { "Not yet globally limited #{number_of_incidents}/#{max_attempts}" }
-
-          ::Booth::Cooldowns::Strategies::Result.success(
-            public_message:,
-            attempts_left:,
-            number_of_incidents:
-          )
-        end
-
-        def public_message
-          return if number_of_incidents.zero?
-
-          if attempts_left == 1
-            I18n.t 'booth.last_attempt'
-          else
-            I18n.t 'booth.attempts_left', attempts_left:
-          end
-        end
-
-        def attempts_left
-          max_attempts - number_of_incidents
-        end
-
-        def number_of_incidents
-          @number_of_incidents ||= scope.count
-        end
-      end
-    end
-  end
-end

data/lib/booth/cooldowns/strategies/result.rb

@@ -1,22 +0,0 @@
-module Booth
-  module Cooldowns
-    module Strategies
-      # All strategies quack the same way.
-      module Result
-        def self.failure(number_of_incidents:, public_message:, cooldown_at:, attempts_left:)
-          Tron.failure :hot, public_message:,
-                             cooldown_at:,
-                             attempts_left:,
-                             number_of_incidents:
-        end
-
-        def self.success(public_message:, number_of_incidents:, attempts_left:)
-          Tron.success :cool, number_of_incidents:,
-                              cooldown_at: nil,
-                              public_message:,
-                              attempts_left:
-        end
-      end
-    end
-  end
-end