booth 0.0.1 → 0.0.2

data/lib/booth/userland/password_resets/guards/logged_out.rb

@@ -1,21 +0,0 @@
-module Booth
-  module Userland
-    module PasswordResets
-      module Guards
-        class LoggedOut
-          include ::Booth::MethodObject
-          include ::Booth::Logging
-
-          option :request
-
-          def call
-            return Tron.success :not_logged_in unless request.authentication.logged_in?
-
-            debug { "Logged in as user #{request.authentication.username.inspect} but trying to password reset" }
-            yield Tron.success :logged_in_user_cannot_reset_password, step: :logout_first
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/password_resets/new.rb

@@ -1,57 +0,0 @@
-module Booth
-  module Userland
-    module PasswordResets
-      class New
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_get!
-          request.must_be_html!
-
-          ::Booth::Userland::PasswordResets::Guards::LoggedOut.call(request:) { return _1 }
-
-          do_find_credential
-            .on_success { do_prepare_reset_form }
-        end
-
-        private
-
-        delegate :username, to: :storage, private: true
-
-        def do_find_credential
-          return Tron.success :known_credential if login_storage.credential_for_username
-
-          debug { "I don't know the username for a password reset" }
-          Tron.failure :unknown_credential, public_message: I18n.t('booth.password_reset_needs_username')
-        end
-
-        def do_prepare_reset_form
-          creation = ::Booth::PasswordResets::Create.call(
-            credential: login_storage.credential_for_username,
-            email: nil,
-            ip: request.ip,
-            agent: request.agent
-          )
-
-          if creation.failure == :blank_email
-            debug { 'Password reset is possible, once email was provided' }
-            return Tron.success :email_address_needed, username: login_storage.username,
-                                                       email: password_reset_storage.email,
-                                                       step: :new
-          end
-
-          # Because we did not pass in an email, this will never be successful.
-          creation
-        end
-
-        def login_storage
-          request.storage.login
-        end
-
-        def password_reset_storage
-          request.storage.password_reset
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/password_resets/show.rb

@@ -1,77 +0,0 @@
-module Booth
-  module Userland
-    module PasswordResets
-      class Show
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_get!
-          request.must_be_html!
-
-          do_find_password_reset
-            .on_success { do_check_scope }
-            .on_success { do_check_logged_out }
-            .on_success { do_access_password_reset }
-        end
-
-        def do_find_password_reset
-          finding = ::Booth::PasswordResets::Find.call(secret_key: secret_key_param)
-          return finding if finding.failure?
-
-          @password_reset = finding.password_reset
-          finding
-        end
-
-        def do_check_scope
-          ::Booth::Syntaxes::ScopeComparison.call this: request.scope, that: @password_reset.credential.scope
-        end
-
-        def do_check_logged_out
-          unless request.authentication.logged_in?
-            debug { "Good, nobody happens to be already logged in in scope #{request.scope}" }
-            return Tron.success :not_logged_in
-          end
-
-          if request.authentication.logged_in_as?(credential: @password_reset.credential)
-            debug { "#{@password_reset.credential.username} is already logged in in scope #{request.scope}" }
-            return Tron.success :logged_in_as_same_credential
-          end
-
-          # This is not a security issue (the reset link status is checked elsewhere),
-          # but we should not ask the user to logout knowing that password reset is unavailble.
-          if %i[completed timed_out].include?(@password_reset.step)
-            return Tron.failure :wrong_user_and_reset_unavailable, step: @password_reset.step
-          end
-
-          debug do
-            "Logged in as user #{request.authentication.username.inspect} but trying to reset password as #{@password_reset.credential.username.inspect}"
-          end
-          Tron.failure :wrong_user_logged_in, step: :wrong_user_logged_in,
-                                              secret_key: @password_reset.secret_key,
-                                              username: @password_reset.credential.username
-        end
-
-        def do_access_password_reset
-          # Storing the consumer IP for now, since we already have it.
-          if @password_reset.accessed_at.blank?
-            @password_reset.update!(accessed_at: Time.current, consumer_ip: request.ip)
-          end
-
-          debug do
-            "Accessed PasswordReset with ID #{@password_reset.id.inspect} and Credential ID #{@password_reset.credential_id.inspect}"
-          end
-          Tron.success :password_reset_accessed, credential_id: @password_reset.credential.id,
-                                                 step: @password_reset.step,
-                                                 username: @password_reset.credential.username,
-                                                 secret_key: @password_reset.secret_key,
-                                                 minlength: @password_reset.class.password_minlength,
-                                                 passwordrules: @password_reset.class.passwordrules
-        end
-
-        def secret_key_param
-          params[:id]
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/password_resets/transitions/update/choose_password.rb

@@ -1,48 +0,0 @@
-module Booth
-  module Userland
-    module PasswordResets
-      module Transitions
-        module Update
-          class ChoosePassword
-            include ::Booth::Concerns::Transition
-
-            option :password_reset
-
-            def self.applicable?(params:)
-              params&.key?(:password_reset) && params[:password_reset]&.key?(:password)
-            end
-
-            def call
-              do_check_password_reset
-                .on_success { do_update_password }
-            end
-
-            private
-
-            def do_check_password_reset
-              return Tron.failure :missing_password_reset unless password_reset.is_a?(::Booth::Models::PasswordReset)
-
-              Tron.success :password_reset_exists
-            end
-
-            def do_update_password
-              if password_reset.update password: password,
-                                       password_chosen_at: Time.current
-                debug { 'You chose a password' }
-                Tron.success :password_chosen
-              else
-                public_message = password_reset.errors.to_a.to_sentence
-                debug { "Could not choose password: #{public_message}" }
-                Tron.failure :password_update_failed, public_message:
-              end
-            end
-
-            def password
-              params&.require(:password_reset)&.permit(:password)&.[](:password)
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/password_resets/transitions/update/confirm_password.rb

@@ -1,54 +0,0 @@
-module Booth
-  module Userland
-    module PasswordResets
-      module Transitions
-        module Update
-          class ConfirmPassword
-            include ::Booth::Concerns::Transition
-
-            option :password_reset
-
-            def self.applicable?(params:)
-              params.key?(:password_reset) && params[:password_reset].key?(:password_confirmation)
-            end
-
-            def call
-              do_compare_password
-                .on_success { do_update_password }
-            end
-
-            private
-
-            def do_compare_password
-              return Tron.success :passwords_match if @password_reset.authenticate_password(password_param)
-
-              @password_reset.errors.add :password_confirmation, :confirmation
-              public_message = password_reset.errors.to_a.to_sentence
-              debug { "Could not confirm password: #{public_message}" }
-              Tron.failure :password_did_not_match, public_message:
-            end
-
-            def do_update_password
-              if @password_reset.update(password_confirmed_at: Time.current, consumer_ip: request.ip)
-                debug { 'You confirmed your password' }
-                ::Booth::PasswordResets::PropagateToCredential.call(@password_reset)
-                Tron.success :password_confirmed,
-                             public_message: I18n.t('booth.password_successfully_reset')
-
-              else
-                debug do
-                  "The confirmation was correct but the update failed: #{password_reset.errors.to_a.to_sentence}"
-                end
-                Tron.failure :correct_password_confirmation_failed
-              end
-            end
-
-            def password_param
-              params.require(:password_reset).permit(:password_confirmation)[:password_confirmation]
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/password_resets/transitions/update/reset_password.rb

@@ -1,29 +0,0 @@
-module Booth
-  module Userland
-    module PasswordResets
-      module Transitions
-        module Update
-          class ResetPassword
-            include ::Booth::Concerns::Transition
-
-            option :password_reset
-
-            def self.applicable?(params:)
-              params.key?(:reset_password)
-            end
-
-            def call
-              if password_reset.update password_chosen_at: nil, password_confirmed_at: nil
-                debug { 'The PasswordReset password was reset.' }
-                Tron.success :password_reset
-              else
-                debug { "Could not reset password: #{password_reset.errors.to_a.to_sentence}" }
-                Tron.failure :password_reset_failed
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/password_resets/update.rb

@@ -1,65 +0,0 @@
-module Booth
-  module Userland
-    module PasswordResets
-      class Update
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_patch!
-
-          do_find_password_reset
-            .on_success { do_check_scope }
-            .on_success { do_check_logged_out }
-            .on_success { do_transition }
-        end
-
-        private
-
-        def do_find_password_reset
-          finding = ::Booth::PasswordResets::Find.call(secret_key: params[:id])
-          return finding if finding.failure?
-
-          @password_reset = finding.password_reset
-          finding
-        end
-
-        def do_check_scope
-          ::Booth::Syntaxes::ScopeComparison.call this: scope, that: @password_reset.credential.scope
-        end
-
-        def do_check_logged_out
-          unless request.authentication.logged_in?
-            debug { "Good, nobody happens to be already logged in in scope #{scope}" }
-            return Tron.success :not_logged_in
-          end
-
-          debug { "When updating a new password, nobody should be logged in its scope #{scope.inspect}" }
-          Tron.failure :currently_logged_in
-        end
-
-        def after_transition
-          @password_reset.reload # Ensure the `password_reset` instance is in a valid state after a failed update
-          debug { "PasswordReset updated, now in status #{@password_reset.step}" }
-
-          # If (and only if!) this account is protected *only* by a password...
-          return unless @password_reset.completed? && @password_reset.credential.mode_username_and_password?
-
-          # ...then we log in right away.
-          ::Booth::Sessions::CreateAndLogin.call(credential: @password_reset.credential, request:)
-        end
-
-        def initialize_transition
-          transition.call(password_reset: @password_reset, request:)
-        end
-
-        def transitions
-          [
-            ::Booth::Userland::PasswordResets::Transitions::Update::ChoosePassword,
-            ::Booth::Userland::PasswordResets::Transitions::Update::ConfirmPassword,
-            ::Booth::Userland::PasswordResets::Transitions::Update::ResetPassword,
-          ]
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/destroy.rb

@@ -1,41 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      class Destroy
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_delete!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
-
-          do_require_eligible_credential
-            .on_success { do_destroy }
-        end
-
-        private
-
-        def do_require_eligible_credential
-          return Tron.success :can_remove_password if ::Booth::Credentials::Modes::PasswordRemovable.call(credential)
-
-          Tron.failure :credential_not_passwordable, public_message: I18n.t('booth.password_not_eligible')
-        end
-
-        def do_destroy
-          if credential.mode_username_and_webauth!
-            debug { 'Password has been removed from this credential' }
-            return Tron.success :password_removed, public_message: I18n.t('booth.password_removed')
-          end
-
-          Tron.failure :password_removal_failed
-        end
-
-        def credential
-          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/edit.rb

@@ -1,54 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      class Edit
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_get!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          ::Booth::Userland::Passwords::Guards::Manageable.call(credential:) { return _1 }
-          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
-
-          do_clear_timed_out_sudo
-            .on_success { do_edit_password }
-        end
-
-        private
-
-        delegate :sudo, :authentication, to: :request
-
-        def do_clear_timed_out_sudo
-          return Tron.success :sudo_still_granted if sudo.password?
-
-          # If you had chosen a new password and your sudo ran out,
-          # then we should also clear the chosen password again. Simply start all over.
-          storage.password_digest = nil
-          Tron.success :cleared_password_digest
-        end
-
-        def do_edit_password
-          Tron.success :editing_password, step:
-        end
-
-        def step
-          return :successfully_changed if storage.password_recently_changed?
-          return :enter_old_password unless sudo.password?
-          return :choose_new_password if storage.password_digest.blank?
-
-          :confirm_new_password
-        end
-
-        def storage
-          request.storage.password
-        end
-
-        def credential
-          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/guards/manageable.rb

@@ -1,21 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      module Guards
-        class Manageable
-          include ::Booth::Logging
-          include ::Booth::MethodObject
-
-          option :credential
-
-          def call
-            return if ::Booth::Credentials::Modes::PasswordManageable.call(credential)
-
-            debug { 'Password is not relevant to this credential' }
-            yield Tron.failure :password_not_configurable, public_message: I18n.t('booth.password_unavailable')
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/guards/removable.rb

@@ -1,21 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      module Guards
-        class Removable
-          include ::Booth::Logging
-          include ::Booth::MethodObject
-
-          option :credential
-
-          def call
-            return if ::Booth::Credentials::Modes::PasswordRemovable.call(credential)
-
-            debug { 'Password is not removable from this credential' }
-            yield Tron.failure :password_not_removable, public_message: I18n.t('booth.password_unavailable')
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/guards/sudo.rb

@@ -1,21 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      module Guards
-        class Sudo
-          include ::Booth::MethodObject
-
-          option :request
-          option :credential
-
-          def call
-            return if credential.mode_first_time?
-            return if credential.mode_username_and_webauth?
-
-            request.sudo.guard_with_password { yield _1 }
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/remove.rb

@@ -1,34 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      class Remove
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_get!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          ::Booth::Userland::Passwords::Guards::Removable.call(credential:) { return _1 }
-          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
-
-          do_render
-        end
-
-        private
-
-        def do_render
-          Tron.success :todo, step:
-        end
-
-        def step
-          ::Booth::Userland::Passwords::Transitions::Remove::Step.call(credential:)
-        end
-
-        def credential
-          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/show.rb

@@ -1,32 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      class Show
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_get!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          ::Booth::Userland::Passwords::Guards::Manageable.call(credential:) { return _1 }
-          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
-
-          do_show
-        end
-
-        private
-
-        def do_show
-          return Tron.success(:otp_addable, step: :add) if credential.mode_username_and_webauth?
-
-          Tron.success :manage_password, step: :show
-        end
-
-        def credential
-          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/sudo.rb

@@ -1,55 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      class Sudo
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_post!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          do_find_credential
-            .on_success { do_require_credential_has_password }
-            .on_success { do_check_password }
-            .on_success { do_grant_sudo }
-        end
-
-        private
-
-        def do_find_credential
-          @credential = ::Booth::Models::Credential.find(request.authentication.credential_id)
-          return Tron.success :found_credential if @credential
-
-          Tron.failure :missing_credential
-        end
-
-        def do_require_credential_has_password
-          return Tron.success :credential_has_only_password if @credential.mode_username_and_password?
-          return Tron.success :credential_has_password_and_otp if @credential.mode_username_password_and_otp?
-          return Tron.success :credential_has_password_and_webauth if @credential.mode_username_password_and_webauth?
-
-          Tron.failure :credential_has_no_password, public_message: I18n.t('booth.password_not_configured')
-        end
-
-        def do_check_password
-          ::Booth::Credentials::PasswordAuthentication.call(
-            credential: @credential,
-            password: password_param,
-            ip: request.ip,
-            agent: request.agent
-          )
-        end
-
-        def do_grant_sudo
-          request.sudo.password!
-          Tron.success :password_sudo_granted
-        end
-
-        def password_param
-          params.require(:password).permit(:password)[:password]
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/transitions/remove/step.rb

@@ -1,27 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      module Transitions
-        module Remove
-          class Step
-            include ::Booth::MethodObject
-
-            option :credential
-
-            def call
-              return :add_authenticator if authenticators.none?(&:supports_user_verification)
-
-              :remove
-            end
-
-            private
-
-            def authenticators
-              credential.authenticators.registered_scope
-            end
-          end
-        end
-      end
-    end
-  end
-end