booth 0.0.1 → 0.0.2

data/lib/booth/userland/onboardings/transitions/update/webauth_authentication_verification.rb

@@ -1,59 +0,0 @@
-module Booth
-  module Userland
-    module Onboardings
-      module Transitions
-        module Update
-          class WebauthAuthenticationVerification
-            include ::Booth::Concerns::Transition
-
-            option :onboarding
-
-            def self.applicable?(params:)
-              params&.key?(:test_webauth) && params[:onboarding]&.key?(:rawId)
-            end
-
-            def call
-              do_verify_response
-                .on_success { do_persist_confirmation }
-            end
-
-            private
-
-            def do_verify_response
-              debug { 'Verifying challenge...' }
-              # TODO: Replate with ::Booth::Webauth::AuthenticationVerification (?)
-              webauth.verify(@onboarding.authenticator_challenge,
-                             public_key: @onboarding.authenticator_public_key,
-                             sign_count: @onboarding.authenticator_sign_count)
-
-              Tron.success :challenge_response_correct
-            rescue WebAuthn::Error => e
-              debug { "Webauth Handshake failed: #{e.message}" }
-              Tron.failure :invalid_challenge_response
-            end
-
-            def do_persist_confirmation
-              debug { 'Updating succeeded sign count and authenticator confirmation...' }
-              if onboarding.update(authenticator_sign_count: webauth.sign_count,
-                                   authenticator_confirmed_at: Time.current)
-
-                return Tron.success :webauth_authentication_verification_successful, public_json: {},
-                                                                                     http_status: :created
-              end
-
-              Tron.failure :storing_response_failed
-            end
-
-            def webauth
-              @webauth ||= ::WebAuthn::Credential.from_get(onboarding_params)
-            end
-
-            def onboarding_params
-              params.require(:onboarding).permit!
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/onboardings/transitions/update/webauth_registration_initiation.rb

@@ -1,46 +0,0 @@
-module Booth
-  module Userland
-    module Onboardings
-      module Transitions
-        module Update
-          class WebauthRegistrationInitiation
-            include ::Booth::Concerns::Transition
-
-            option :onboarding
-
-            def self.applicable?(params:)
-              params&.key?(:register_webauth) && !params&.key?(:onboarding)
-            end
-
-            def call
-              do_challenge
-            end
-
-            private
-
-            def do_challenge
-              debug { "Remembering registration challenge #{webauth.challenge.inspect}" }
-
-              if onboarding.update authenticator_challenge: webauth.challenge
-                return Tron.success :registration_challenge_created, public_json: webauth.as_json,
-                                                                     http_status: :created
-              end
-
-              Tron.failure :storing_registration_challenge_failed
-            end
-
-            def webauth
-              @webauth ||= ::Booth::Webauth::OptionsForCreate.call(
-                webauthn_id: onboarding.webauthn_id,
-                username: onboarding.credential.username,
-                requires_user_verification: onboarding.requires_user_verification?
-                # No need to exclude existing hardware keys.
-                # You can not register more than one hardware key in this onboarding.
-              )
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/onboardings/transitions/update/webauth_registration_verification.rb

@@ -1,56 +0,0 @@
-module Booth
-  module Userland
-    module Onboardings
-      module Transitions
-        module Update
-          class WebauthRegistrationVerification
-            include ::Booth::Concerns::Transition
-
-            option :onboarding
-
-            def self.applicable?(params:)
-              params&.key?(:register_webauth) && params[:onboarding]&.key?(:rawId)
-            end
-
-            def call
-              do_verify_response
-                .on_success { do_persist_keys }
-            end
-
-            private
-
-            def do_verify_response
-              debug { "Verifying challenge #{@onboarding.authenticator_challenge.inspect}" }
-              webauth.verify(@onboarding.authenticator_challenge)
-
-              Tron.success :challenge_response_correct
-            rescue WebAuthn::Error => e
-              debug { "Webauth Handshake failed: #{e.message}" }
-              Tron.failure :invalid_challenge_response
-            end
-
-            def do_persist_keys
-              debug { "Persisting authenticator information, the sign count is now at #{webauth.sign_count}..." }
-              if onboarding.update(authenticator_id: ::Base64.strict_encode64(webauth.raw_id),
-                                   authenticator_public_key: webauth.public_key,
-                                   authenticator_sign_count: webauth.sign_count)
-
-                return Tron.success :challenge_accepted, public_json: {}, http_status: :created
-              end
-
-              Tron.failure :storing_response_failed
-            end
-
-            def webauth
-              @webauth ||= ::WebAuthn::Credential.from_create(onboarding_params)
-            end
-
-            def onboarding_params
-              params.require(:onboarding).permit!
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/destroy.rb

@@ -1,42 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      class Destroy
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_delete!
-          request.must_be_html!
-          request.must_be_logged_in!
-          request.sudo.guard_with_otp { return _1 }
-
-          do_require_eligible_credential
-            .on_success { do_destroy }
-        end
-
-        private
-
-        def do_require_eligible_credential
-          return Tron.success :can_remove_otp if ::Booth::Credentials::Modes::OtpRemovable.call(credential)
-
-          Tron.failure :credential_not_otpable, public_message: I18n.t('booth.otp_not_eligible')
-        end
-
-        def do_destroy
-          if credential.mode_username_and_password!
-            credential.otp_regenerate_secret
-            credential.save # Not critical if this one fails
-
-            return Tron.success :otp_removed, public_message: I18n.t('booth.otp_removed')
-          end
-
-          Tron.failure :otp_removal_failed
-        end
-
-        def credential
-          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/edit.rb

@@ -1,72 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      class Edit
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_get!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          ::Booth::Userland::Otps::Guards::Manageable.call(credential:) { return _1 }
-          ::Booth::Userland::Otps::Guards::Sudo.call(request:, credential:) { return _1 }
-
-          do_require_eligible_credential
-            # .on_success { do_clear_previous_editing }
-            .on_success { do_ensure_temporary_secret_key }
-            .on_success { do_reveal_otp_secret }
-        end
-
-        private
-
-        def do_require_eligible_credential
-          return Tron.success :can_add_otp if ::Booth::Credentials::Modes::OtpAddable.call(credential)
-          return Tron.success :can_change_otp if ::Booth::Credentials::Modes::OtpChangeable.call(credential)
-
-          Tron.failure :credential_not_otpable, public_message: I18n.t('booth.otp_not_eligible')
-        end
-
-        # Hm, tests failed with this.
-        # def do_clear_previous_editing
-        #   return Tron.success :no_previous_editing unless storage.secret_key_recently_changed?
-        #   return Tron.success :reset_not_requested unless request.params[:reset]
-
-        #   #storage.reset
-        #   Tron.success :previous_editing_cleared
-        # end
-
-        def do_ensure_temporary_secret_key
-          return Tron.success :secret_key_exists if storage.secret_key
-
-          storage.generate_secret_key!
-          Tron.success :secret_generated
-        end
-
-        def do_reveal_otp_secret
-          dummy = ::Booth::Models::Credential.new otp_secret_key: storage.secret_key, scope: scope
-
-          Tron.success :register_otp, step:,
-                                      otp_provisioning_svg: dummy.otp_provisioning_svg,
-                                      otp_provisioning_url: dummy.otp_provisioning_url
-        end
-
-        def step
-          return :successfully_changed if storage.secret_key_recently_changed?
-
-          return :confirm if storage.secret_key_has_been_seen?
-
-          :register
-        end
-
-        def storage
-          request.storage.otp
-        end
-
-        def credential
-          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/guards/manageable.rb

@@ -1,21 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      module Guards
-        class Manageable
-          include ::Booth::Logging
-          include ::Booth::MethodObject
-
-          option :credential
-
-          def call
-            return if ::Booth::Credentials::Modes::OtpManageable.call(credential)
-
-            debug { 'OTP is not relevant to this credential' }
-            yield Tron.failure :otp_not_configurable, public_message: I18n.t('booth.otp_unavailable')
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/guards/sudo.rb

@@ -1,23 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      module Guards
-        class Sudo
-          include ::Booth::MethodObject
-
-          option :request
-          option :credential
-
-          def call
-            return if credential.mode_first_time?
-            return if credential.mode_username_and_password?
-            return if credential.mode_username_password_and_webauth?
-            return if credential.mode_username_and_webauth?
-
-            request.sudo.guard_with_otp { yield _1 }
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/show.rb

@@ -1,36 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      class Show
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_get!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          ::Booth::Userland::Otps::Guards::Manageable.call(credential:) { return _1 }
-          ::Booth::Userland::Otps::Guards::Sudo.call(request:, credential:) { return _1 }
-
-          do_show
-        end
-
-        private
-
-        def do_show
-          if credential.mode_username_password_and_otp?
-            return Tron.success :current_otp, step: :show,
-                                              otp_provisioning_svg: credential.otp_provisioning_svg,
-                                              otp_provisioning_url: credential.otp_provisioning_url
-          end
-
-          Tron.success :otp_addable, step: :add
-        end
-
-        def credential
-          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/sudo.rb

@@ -1,51 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      class Sudo
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_post!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          do_find_credential
-            .on_success { do_require_credential_has_otp }
-            .on_success { do_check_code }
-            .on_success { do_grant_sudo }
-        end
-
-        private
-
-        def do_find_credential
-          @credential = ::Booth::Models::Credential.find(request.authentication.credential_id)
-          return Tron.success :found_credential if @credential
-
-          Tron.failure :missing_credential
-        end
-
-        def do_require_credential_has_otp
-          return Tron.success :credential_has_otp if @credential.mode_username_password_and_otp?
-
-          Tron.failure :credential_has_no_otp, public_message: I18n.t('booth.otp_unavailable')
-        end
-
-        def do_check_code
-          ::Booth::Credentials::OtpAuthentication.call credential: @credential,
-                                                       code: code_param,
-                                                       ip: request.ip,
-                                                       agent: request.agent
-        end
-
-        def do_grant_sudo
-          request.sudo.otp!
-          Tron.success :otp_sudo_granted
-        end
-
-        def code_param
-          params.require(:otp).permit(:otp)[:otp]
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/transitions/update/confirm.rb

@@ -1,84 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      module Transitions
-        module Update
-          class Confirm
-            include ::Booth::Concerns::Transition
-
-            def self.applicable?(params:)
-              params.key?(:otp) && params[:otp].key?(:otp_confirmation)
-            end
-
-            def call
-              do_check_secret_key
-                .on_success { do_find_credential }
-                .on_success { do_require_eligible_credential }
-                .on_success { do_compare_code }
-                .on_success { do_update_credential }
-                .on_success { do_audit }
-            end
-
-            private
-
-            def do_check_secret_key
-              return Tron.success :secret_key_exists if storage.secret_key.present?
-
-              Tron.failure :missing_secret_key
-            end
-
-            def do_find_credential
-              @credential = ::Booth::Models::Credential.find(request.authentication.credential_id)
-              return Tron.success :found_credential if @credential
-
-              Tron.failure :missing_credential
-            end
-
-            def do_require_eligible_credential
-              return Tron.success :can_add_otp if ::Booth::Credentials::Modes::OtpAddable.call(@credential)
-              return Tron.success :can_change_otp if ::Booth::Credentials::Modes::OtpChangeable.call(@credential)
-
-              Tron.failure :credential_not_otpable, public_message: I18n.t('booth.otp_not_eligible')
-            end
-
-            def do_compare_code
-              @credential.otp_secret_key = storage.secret_key
-              return Tron.success :correct_code if @credential.authenticate_otp(code_param)
-
-              debug { "Provided code #{code_param} did not match expected code #{@credential.otp_code}" }
-              Tron.failure :wrong_code, public_message: I18n.t('booth.wrong_otp')
-            end
-
-            def do_update_credential
-              @credential.mode = :username_password_and_otp
-
-              if @credential.save
-                request.sudo.otp!
-                debug { 'You confirmed your newly changed otp' }
-                return Tron.success :otp_confirmed
-              end
-
-              debug { "The confirmation was correct but the update failed: #{@credential.errors.to_a.to_sentence}" }
-              Tron.failure :correct_otp_confirmation_failed
-            end
-
-            def do_audit
-              ::Booth::Audits::Register::ChangedOtp.call credential: @credential, ip: request.ip, agent: request.agent
-              storage.secret_key_recently_changed!
-
-              Tron.success :audit_created
-            end
-
-            def code_param
-              params.require(:otp).permit(:otp_confirmation)[:otp_confirmation]
-            end
-
-            def storage
-              request.storage.otp
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/transitions/update/register.rb

@@ -1,40 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      module Transitions
-        module Update
-          class Register
-            include ::Booth::Concerns::Transition
-
-            def self.applicable?(params:)
-              params&.key?(:register)
-            end
-
-            def call
-              do_check_secret_key
-                .on_success { do_register_otp }
-            end
-
-            private
-
-            def do_check_secret_key
-              return Tron.success :secret_key_exists if storage.secret_key.present?
-
-              Tron.failure :missing_secret_key
-            end
-
-            def do_register_otp
-              storage.secret_key_has_been_seen!
-
-              Tron.success :otp_secret_registered
-            end
-
-            def storage
-              request.storage.otp
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/transitions/update/reset.rb

@@ -1,31 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      module Transitions
-        module Update
-          class Reset
-            include ::Booth::Concerns::Transition
-
-            def self.applicable?(params:)
-              params.key?(:reset)
-            end
-
-            def call
-              do_reset
-            end
-
-            private
-
-            def do_reset
-              storage.reset
-            end
-
-            def storage
-              request.storage.otp
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/otps/update.rb

@@ -1,34 +0,0 @@
-module Booth
-  module Userland
-    module Otps
-      class Update
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_patch!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          ::Booth::Userland::Otps::Guards::Manageable.call(credential:) { return _1 }
-          ::Booth::Userland::Otps::Guards::Sudo.call(request:, credential:) { return _1 }
-
-          do_transition
-        end
-
-        private
-
-        def transitions
-          [
-            ::Booth::Userland::Otps::Transitions::Update::Confirm,
-            ::Booth::Userland::Otps::Transitions::Update::Register,
-            ::Booth::Userland::Otps::Transitions::Update::Reset,
-          ]
-        end
-
-        def credential
-          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/password_resets/create.rb

@@ -1,73 +0,0 @@
-module Booth
-  module Userland
-    module PasswordResets
-      class Create
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_post!
-
-          do_check_logged_out
-            .on_success { do_find_credential }
-            .on_success { do_remember_email }
-            .on_success { do_create_password_reset }
-        end
-
-        private
-
-        delegate :username, to: :storage, private: true
-
-        def do_check_logged_out
-          unless request.authentication.logged_in?
-            debug { "Good, nobody happens to be already logged in in scope #{request.scope}" }
-            return Tron.success :not_logged_in
-          end
-
-          debug do
-            "Logged in as user #{request.authentication.username.inspect} but trying to request password reset"
-          end
-          Tron.failure :logged_in_user_cannot_reset_password, public_message: I18n.t('booth.logged_in_user_cannot_reset_password')
-        end
-
-        def do_find_credential
-          return Tron.success :known_credential if login_storage.credential_for_username
-
-          Tron.failure :unknown_credential, public_message: I18n.t('booth.password_reset_needs_username')
-        end
-
-        def do_remember_email
-          password_reset_storage.email = ::Booth::Syntaxes::Email.call(email_param).normalized_invalid_email
-
-          Tron.success :remembered_email
-        end
-
-        def do_create_password_reset
-          creation = ::Booth::PasswordResets::Create.call(
-            credential: login_storage.credential_for_username,
-            email: email_param,
-            ip: request.ip,
-            agent: request.agent
-          )
-
-          creation.on_success do
-            password_reset_storage.email = nil
-          end
-
-          creation
-        end
-
-        def login_storage
-          request.storage.login
-        end
-
-        def password_reset_storage
-          request.storage.password_reset
-        end
-
-        def email_param
-          params.require(:password_reset).permit(:email)[:email]
-        end
-      end
-    end
-  end
-end