booth 0.0.1 → 0.0.2

data/lib/booth/method_object.rb

@@ -1,73 +0,0 @@
-# Copyright 2018 Bukowskis https://github.com/bukowskis/method_object
-#
-# Permission is hereby granted, free of charge, to any person obtaining
-# a copy of this software and associated documentation files (the
-# "Software"), to deal in the Software without restriction, including
-# without limitation the rights to use, copy, modify, merge, publish,
-# distribute, sublicense, and/or sell copies of the Software, and to
-# permit persons to whom the Software is furnished to do so, subject to
-# the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-module Booth
-  module MethodObject
-    def self.included(base)
-      base.extend Dry::Initializer
-      base.extend ClassMethods
-      base.send(:private_class_method, :new)
-    end
-
-    module ClassMethods
-      def call(*args, **kwargs, &)
-        __check_for_unknown_options(*args, **kwargs)
-
-        if kwargs.empty?
-          # Preventing `Passing the keyword argument as the last hash parameter is deprecated`
-          new(*args).call(&)
-        else
-          new(*args, **kwargs).call(&)
-        end
-      end
-
-      # Overriding the implementation of `#param` in the `dry-initializer` gem.
-      # Because of the positioning of multiple params, params can never be omitted in a method object.
-      def param(name, type = nil, **opts, &)
-        raise ArgumentError, "Default value for param not allowed - #{name}" if opts.key? :default
-        raise ArgumentError, "Optional params not supported - #{name}" if opts.fetch(:optional, false)
-
-        super
-      end
-
-      def __check_for_unknown_options(*args, **kwargs)
-        return if __defined_options.empty?
-
-        # Checking params
-        opts = args.drop(__defined_params.length).first || kwargs
-        raise ArgumentError, "Unexpected argument #{opts}" unless opts.is_a? Hash
-
-        # Checking options
-        unknown_options = opts.keys - __defined_options
-        message = "Key(s) #{unknown_options} not found in #{__defined_options}"
-        raise KeyError, message if unknown_options.any?
-      end
-
-      def __defined_options
-        dry_initializer.options.map(&:source)
-      end
-
-      def __defined_params
-        dry_initializer.params.map(&:source)
-      end
-    end
-  end
-end

data/lib/booth/mode.rb

@@ -1,22 +0,0 @@
-module Booth
-  module Mode
-    def self.find(symbol)
-      return if symbol.to_s == 'first_time'
-
-      all.detect { _1.id.to_s == symbol.to_s } || raise("Unknown Booth Mode: #{symbol.inspect}")
-    end
-
-    def self.wrap(input)
-      Array(input).map { find(_1) }.sort
-    end
-
-    def self.all
-      [
-        ::Booth::Modes::UsernameAndWebauth, # Recommended for convenience
-        ::Booth::Modes::UsernamePasswordAndWebauth, # Most secure
-        ::Booth::Modes::UsernamePasswordAndOtp, # If you don't have a hardware key
-        ::Booth::Modes::UsernameAndPassword, # Discouraged
-      ]
-    end
-  end
-end

data/lib/booth/models/concerns/modeable.rb

@@ -1,50 +0,0 @@
-module Booth
-  module Models
-    module Concerns
-      module Modeable
-        extend ActiveSupport::Concern
-
-        included do
-          enum mode: { first_time: 'first_time',
-                       username_and_password: 'username_and_password',
-                       username_password_and_otp: 'username_password_and_otp',
-                       username_password_and_webauth: 'username_password_and_webauth',
-                       username_and_webauth: 'username_and_webauth' },
-               _prefix: true
-
-          validates :mode, presence: true, inclusion: { in: modes.keys }
-          validates :mode, inclusion: { in: -> { ['first_time'] + _1.allowed_modes } }
-
-          before_validation :ensure_mode
-        end
-
-        def requires_user_verification?
-          # Passwordless login should always require user presence
-          !mode_username_password_and_webauth?
-        end
-
-        def allows_mode_username_and_password?
-          allowed_modes.include?('username_and_password')
-        end
-
-        def allows_mode_username_password_and_otp?
-          allowed_modes.include?('username_password_and_otp')
-        end
-
-        def allows_mode_username_password_and_webauth?
-          allowed_modes.include?('username_password_and_webauth')
-        end
-
-        def allows_mode_username_and_webauth?
-          allowed_modes.include?('username_and_webauth')
-        end
-
-        private
-
-        def ensure_mode
-          self.mode ||= 'first_time'
-        end
-      end
-    end
-  end
-end

data/lib/booth/models/concerns/otpable.rb

@@ -1,37 +0,0 @@
-module Booth
-  module Models
-    module Concerns
-      module Otpable
-        extend ActiveSupport::Concern
-
-        included do
-          # See https://github.com/heapsource/active_model_otp/blob/master/lib/active_model/one_time_password.rb
-          has_one_time_password length: otp_digits
-        end
-
-        class_methods do
-          def otp_digits
-            6
-          end
-        end
-
-        def authenticate_otp(code)
-          super(code, drift: 30.seconds)
-        end
-
-        def otp_provisioning_url
-          raise "Expected #{self} to respond to #scope" unless respond_to?(:scope)
-
-          provisioning_uri(username, issuer: ::Booth.config.otp_issuer(scope:), digits: otp_digits)
-        end
-
-        def otp_provisioning_svg
-          qr = ::RQRCode::QRCode.new(otp_provisioning_url, level: :l)
-          # See https://whomwah.github.io/rqrcode/
-          qr.as_svg use_path: false,
-                    viewbox: true, fill: 'fff', offset: 5, module_size: 8, svg_attributes: { 'data-booth' => :otpqr }
-        end
-      end
-    end
-  end
-end

data/lib/booth/models/concerns/passwordable.rb

@@ -1,58 +0,0 @@
-module Booth
-  module Models
-    module Concerns
-      module Passwordable
-        extend ActiveSupport::Concern
-
-        included do
-          # See https://github.com/rails/rails/blob/master/activemodel/lib/active_model/secure_password.rb
-          has_secure_password
-
-          define_method('password=') do |unencrypted_password|
-            # We auto-assign a random password before validation.
-            # If a non-empty password was explicitly assigned, then we should not generate a random password.
-            @apparently_wants_no_password = unencrypted_password.blank?
-
-            # See https://github.com/rails/rails/issues/34348#issuecomment-615856794
-            super(unencrypted_password.presence)
-          end
-
-          validates :password, length: { minimum: password_minlength }, allow_blank: true
-          # Don't say anything about breaches if the password was already too short to be accepted.
-          validates :password, not_pwned: {
-                                 on_error: :valid,
-                                 request_options: {
-                                   read_timeout: 3,
-                                   open_timeout: 1
-                                 },
-                               },
-                               allow_blank: true,
-                               if: proc { _1.errors.empty? }
-
-          before_validation :ensure_initial_password
-        end
-
-        class_methods do
-          def password_minlength
-            8
-          end
-
-          # See https://support.1password.com/compatible-website-design
-          # See https://developer.apple.com/password-rules
-          def passwordrules
-            "minlength: #{password_minlength}; maxlength: #{::ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED};"
-          end
-        end
-
-        private
-
-        def ensure_initial_password
-          return if password_digest.present?
-          return if @apparently_wants_no_password
-
-          self.password = ::SecureRandom.alphanumeric(::ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED)
-        end
-      end
-    end
-  end
-end

data/lib/booth/models/contests/scopes/recently_created.rb

@@ -1,23 +0,0 @@
-module Booth
-  module Models
-    module Contests
-      module Scopes
-        class RecentlyCreated
-          include ::Booth::MethodObject
-
-          param :contest
-
-          def self.scope(base)
-            base.where.not(created_at: nil)
-                .where('created_at > ?', ::Booth::Models::Contest.lifespan.ago)
-          end
-
-          def call
-            contest.created_at.present? &&
-              contest.created_at > ::Booth::Models::Contest.lifespan.ago
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/models/contests/scopes/recently_responded.rb

@@ -1,32 +0,0 @@
-module Booth
-  module Models
-    module Contests
-      module Scopes
-        class RecentlyResponded
-          include ::Booth::MethodObject
-
-          param :contest
-
-          def self.scope(base)
-            base.where.not(created_at: nil, responded_at: nil)
-                .where('created_at > ?', lifespan.ago)
-                .where('responded_at > ?', lifespan.ago)
-          end
-
-          def call
-            contest.created_at.present? &&
-              contest.responded_at.present? &&
-              contest.created_at > lifespan.ago &&
-              contest.responded_at > lifespan.ago
-          end
-
-          private
-
-          def lifespan
-            contest.class.lifespan
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/models/password_reset.rb

@@ -1,41 +0,0 @@
-module Booth
-  module Models
-    class PasswordReset < ::Booth::Models::ApplicationRecord
-      include ::Booth::Logging
-      include ::Booth::Models::Concerns::Passwordable
-
-      self.table_name = 'booth_password_resets'
-
-      def self.lifetime
-        ::Booth.config.password_reset_window
-      end
-
-      belongs_to :credential, class_name: '::Booth::Models::Credential'
-
-      validates :creator_ip, presence: true
-
-      # See https://github.com/rails/rails/blob/main/activerecord/lib/active_record/secure_token.rb
-      has_secure_token :secret_key, length: 30
-
-      def step
-        ::Booth::PasswordResets::Step.call(self)
-      end
-
-      def completed?
-        password_chosen_at.present? && password_confirmed_at.present?
-      end
-
-      def revoked?
-        revoked_at.present?
-      end
-
-      def recently_created?
-        created_at > self.class.lifetime.ago
-      end
-
-      def other_password_resets_of_this_credential
-        credential.password_resets.where.not(id:)
-      end
-    end
-  end
-end

data/lib/booth/models/recovery.rb

@@ -1,32 +0,0 @@
-module Booth
-  module Models
-    class Recovery < ::Booth::Models::ApplicationRecord
-      include ::Booth::Logging
-
-      self.table_name = 'booth_recoveries'
-
-      before_validation :normalize_email
-
-      def consumed?
-        consumed_at.present?
-      end
-
-      def revoked?
-        revoked_at.present?
-      end
-
-      def other_recoveries_with_this_scope_and_email
-        self.class
-            .where(scope:)
-            .where(email:)
-            .where.not(id:)
-      end
-
-      private
-
-      def normalize_email
-        self.email = ::Booth::Syntaxes::Email.call(email).normalized_email
-      end
-    end
-  end
-end

data/lib/booth/models/registration.rb

@@ -1,10 +0,0 @@
-module Booth
-  module Models
-    class Registration < ::Booth::Models::ApplicationRecord
-      include ::Booth::Logging
-      include ::Booth::Models::Concerns::ModeEnumerable
-
-      self.table_name = 'booth_registrations'
-    end
-  end
-end

data/lib/booth/modes/base.rb

@@ -1,25 +0,0 @@
-module Booth
-  module Modes
-    module Base
-      extend ActiveSupport::Concern
-
-      class_methods do
-        def id
-          self.to_s.demodulize.underscore
-        end
-
-        def title
-          I18n.t "booth.mode_#{id}_title"
-        end
-
-        def description
-          I18n.t "booth.mode_#{id}_description"
-        end
-
-        def <=>(other)
-          ::Booth::Mode.all.index(self) <=> ::Booth::Mode.all.index(other)
-        end
-      end
-    end
-  end
-end

data/lib/booth/modes/username_and_password.rb

@@ -1,7 +0,0 @@
-module Booth
-  module Modes
-    module UsernameAndPassword
-      include ::Booth::Modes::Base
-    end
-  end
-end

data/lib/booth/modes/username_and_webauth.rb

@@ -1,7 +0,0 @@
-module Booth
-  module Modes
-    module UsernameAndWebauth
-      include ::Booth::Modes::Base
-    end
-  end
-end

data/lib/booth/modes/username_password_and_otp.rb

@@ -1,7 +0,0 @@
-module Booth
-  module Modes
-    module UsernamePasswordAndOtp
-      include ::Booth::Modes::Base
-    end
-  end
-end

data/lib/booth/modes/username_password_and_webauth.rb

@@ -1,7 +0,0 @@
-module Booth
-  module Modes
-    module UsernamePasswordAndWebauth
-      include ::Booth::Modes::Base
-    end
-  end
-end

data/lib/booth/onboardings/find.rb

@@ -1,35 +0,0 @@
-module Booth
-  module Onboardings
-    class Find
-      include ::Booth::Logging
-      include ::Booth::MethodObject
-
-      option :secret_key
-
-      def call
-        check_secret_key_syntax_action
-          .on_success { find_onboarding_action }
-      end
-
-      private
-
-      def check_secret_key_syntax_action
-        ::Booth::Syntaxes::SecretKey.call(secret_key)
-      end
-
-      def find_onboarding_action
-        debug { "Looking for Onboarding with secret key #{secret_key.inspect}" }
-        onboarding = ::Booth::Models::Onboarding.find_by(secret_key:)
-
-        if onboarding
-          debug { "Found Onboarding with ID #{onboarding.id.inspect}" }
-          Tron.success(:found_onboarding, onboarding:)
-        else
-          message = "Could not find userland Onboarding with secret key #{secret_key.inspect}"
-          debug { message }
-          Tron.failure :onboarding_not_found, public_message: I18n.t('booth.unknown_secret_key')
-        end
-      end
-    end
-  end
-end

data/lib/booth/onboardings/propagate_to_credential.rb

@@ -1,63 +0,0 @@
-module Booth
-  module Onboardings
-    class PropagateToCredential
-      include ::Booth::Logging
-      include ::Booth::MethodObject
-
-      param :onboarding
-      option :ip
-      option :agent
-
-      def call
-        debug { 'Propagating Onboarding to Credential...' }
-        raise "Expected Onboarding to be valid: #{onboarding.errors.full_messages.to_sentence}" if onboarding.invalid?
-
-        onboarding.transaction do
-          update_credential!
-          remove_existing_authenticators!
-          create_authenticator!
-          register_audit!
-          finalize_onboarding!
-        end
-        debug { 'Propagation of Onboarding completed' }
-      end
-
-      private
-
-      def update_credential!
-        onboarding.credential.update! mode: onboarding.mode,
-                                      password_digest: onboarding.password_digest,
-                                      otp_secret_key: onboarding.otp_secret_key
-      end
-
-      def remove_existing_authenticators!
-        onboarding.credential.authenticators.destroy_all
-      end
-
-      def create_authenticator!
-        return unless onboarding.authenticator?
-
-        onboarding.credential.authenticators.create! webauthn_id: onboarding.webauthn_id,
-                                                     device_id: onboarding.authenticator_id,
-                                                     nickname: onboarding.authenticator_nickname,
-                                                     public_key: onboarding.authenticator_public_key,
-                                                     sign_count: onboarding.authenticator_sign_count,
-                                                     challenge: onboarding.authenticator_challenge,
-                                                     supports_user_verification: onboarding.requires_user_verification?,
-                                                     confirmed_at: Time.current
-      end
-
-      def register_audit!
-        ::Booth::Audits::Register::CompletedOnboarding.call(
-          credential: onboarding.credential,
-          ip:,
-          agent:
-        )
-      end
-
-      def finalize_onboarding!
-        onboarding.update! propagated_at: Time.current
-      end
-    end
-  end
-end

data/lib/booth/onboardings/step.rb

@@ -1,68 +0,0 @@
-module Booth
-  module Onboardings
-    class Step
-      include ::Booth::MethodObject
-
-      param :onboarding
-
-      def call
-        return :timed_out unless onboarding.recently_created?
-
-        if onboarding.mode_first_time?
-          mode_first_time
-        elsif onboarding.mode_username_and_password?
-          mode_username_and_password
-        elsif onboarding.mode_username_password_and_otp?
-          mode_username_password_and_otp
-        elsif onboarding.mode_username_password_and_webauth?
-          mode_username_password_and_webauth
-        elsif onboarding.mode_username_and_webauth?
-          mode_username_and_webauth
-        else
-          raise 'Invalid Onboarding State'
-        end
-      end
-
-      private
-
-      def mode_first_time
-        :choose_mode
-      end
-
-      def mode_username_and_password
-        return :choose_password if onboarding.password_chosen_at.blank?
-        return :completed if onboarding.password_confirmed_at.present?
-
-        :confirm_password
-      end
-
-      def mode_username_password_and_otp
-        return mode_username_and_password unless mode_username_and_password == :completed
-        return :register_otp if onboarding.otp_registered_at.blank?
-        return :confirm_otp if onboarding.otp_confirmed_at.blank?
-
-        :completed
-      end
-
-      def mode_username_password_and_webauth
-        return mode_username_and_password unless mode_username_and_password == :completed
-
-        mode_username_and_webauth
-      end
-
-      def mode_username_and_webauth
-        return :register_webauth if onboarding.authenticator_id.blank? ||
-                                    onboarding.authenticator_public_key.blank? ||
-                                    onboarding.authenticator_sign_count.blank?
-        return :choose_webauth_nickname if onboarding.authenticator_nickname.blank?
-        return :confirm_webauth if onboarding.authenticator_confirmed_at.blank?
-
-        :completed
-      end
-
-      def mode_unknown
-        :unknown
-      end
-    end
-  end
-end

data/lib/booth/password_resets/create.rb

@@ -1,57 +0,0 @@
-module Booth
-  module PasswordResets
-    class Create
-      include ::Booth::Logging
-      include ::Booth::MethodObject
-
-      option :credential
-      option :email
-      option :ip
-      option :agent
-
-      def call
-        do_check_applicability
-          .on_success { do_check_email_syntax }
-          .on_success { do_check_cooldown }
-          .on_success { do_create_password_reset }
-      end
-
-      private
-
-      def do_check_applicability
-        return Tron.success :credential_has_password if credential.applicable_for_password_reset?
-
-        debug { 'This credential has no password to be reset' }
-        Tron.failure :credential_cannot_reset_password, public_message: I18n.t('booth.password_reset_not_available')
-      end
-
-      def do_check_email_syntax
-        check = ::Booth::Syntaxes::Email.call(email)
-
-        check.on_success do
-          @email_address = check.normalized_email
-        end
-
-        check
-      end
-
-      def do_check_cooldown
-        ::Booth::Cooldowns::PasswordReset.call(credential:)
-      end
-
-      def do_create_password_reset
-        password_reset = nil
-
-        ::Booth::Models::PasswordReset.transaction do
-          password_reset = ::Booth::Models::PasswordReset.create! credential:, creator_ip: ip
-          ::Booth::Audits::Register::RequestedPasswordReset.call credential:, ip:, agent:
-        end
-
-        Tron.success :applicable_for_reset, username: credential.username,
-                                            email: @email_address,
-                                            credential_id: credential.id,
-                                            secret_key: password_reset.secret_key
-      end
-    end
-  end
-end