booth 0.0.1 → 0.0.2

data/lib/booth/userland/passwords/transitions/update/choose_password.rb

@@ -1,62 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      module Transitions
-        module Update
-          class ChoosePassword
-            include ::Booth::Concerns::Transition
-
-            def self.applicable?(params:)
-              params.dig(:password, :new_password)
-            end
-
-            def call
-              do_check_sudo
-                .on_success { do_check_password }
-                .on_success { do_remember_password }
-            end
-
-            private
-
-            def do_check_sudo
-              return Tron.success :still_has_sudo if sudo.password?
-
-              Tron.failure :missing_sudo, public_message: I18n.t('booth.password_change_timeout',
-                                                                 lifespan_minutes: (sudo.lifespan / 60))
-            end
-
-            def do_check_password
-              @dummy_credential = ::Booth::Models::Credential.new(
-                password: password_param,
-                username: :dummy,
-                allowed_modes: [:first_time]
-              )
-              return Tron.success :password_is_acceptable if @dummy_credential.valid?
-
-              debug { 'The newly chosen password is not acceptable' }
-              Tron.failure :invalid_password, public_message: @dummy_credential.errors.full_messages.to_sentence
-            end
-
-            def do_remember_password
-              storage.password_digest = @dummy_credential.password_digest
-
-              Tron.success :remembered_password
-            end
-
-            def password_param
-              params.require(:password).permit(:new_password)[:new_password]
-            end
-
-            def storage
-              request.storage.password
-            end
-
-            def sudo
-              request.sudo
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/transitions/update/confirm_password.rb

@@ -1,82 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      module Transitions
-        module Update
-          class ConfirmPassword
-            include ::Booth::Concerns::Transition
-
-            def self.applicable?(params:)
-              params.dig(:password, :password)
-            end
-
-            def call
-              do_check_sudo
-                .on_success { do_compare_password }
-                .on_success { do_update_credential }
-            end
-
-            private
-
-            def do_check_sudo
-              return Tron.success :still_has_sudo if sudo.password?
-
-              Tron.failure :missing_sudo, public_message: I18n.t('booth.password_change_timeout',
-                                                                 lifespan_minutes: (sudo.lifespan / 60))
-            end
-
-            def do_compare_password
-              @dummy_credential = ::Booth::Models::Credential.new(
-                password_digest: storage.password_digest,
-                password_confirmation: password_param,
-                username: :dummy,
-                allowed_modes: [:first_time]
-              )
-
-              if @dummy_credential.valid?
-                debug { 'The password confirmation was typed in correctly' }
-                return Tron.success :passwords_match
-              end
-
-              debug { 'The password confirmation did not match' }
-              Tron.failure :passwords_dont_match, public_message: @dummy_credential.errors.full_messages.to_sentence
-            end
-
-            def do_update_credential
-              credential = ::Booth::Models::Credential.find(authentication.credential_id)
-
-              if credential.update(password: password_param)
-                debug { "Successfully updated password of credential with ID #{credential.id}" }
-                storage.reset
-                storage.password_recently_changed!
-
-                # Prolong sudo to give the user more time to revoke all other sessions.
-                sudo.password!
-                return Tron.success :password_updated
-              end
-
-              debug { "Could not persist new password for  credential with ID #{credential.id}" }
-              Tron.failure :persistence_failed, public_message: credential.errors.full_messages.to_sentence
-            end
-
-            def password_param
-              params.require(:password).permit(:password)[:password]
-            end
-
-            def storage
-              request.storage.password
-            end
-
-            def authentication
-              request.authentication
-            end
-
-            def sudo
-              request.sudo
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/passwords/update.rb

@@ -1,33 +0,0 @@
-module Booth
-  module Userland
-    module Passwords
-      class Update
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_patch!
-          request.must_be_logged_in!
-
-          ::Booth::Userland::Passwords::Guards::Manageable.call(credential:) { return _1 }
-          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
-
-          do_transition
-        end
-
-        private
-
-        def credential
-          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
-        end
-
-        def transitions
-          [
-            ::Booth::Userland::Passwords::Transitions::Update::ChoosePassword,
-            # TODO: Add ResetPassword so that you can change your mind when confirming
-            ::Booth::Userland::Passwords::Transitions::Update::ConfirmPassword,
-          ]
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/personal_contests/show.rb

@@ -1,60 +0,0 @@
-module Booth
-  module Userland
-    module PersonalContests
-      class Show
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_get!
-          request.must_be_html!
-          request.must_be_logged_in!
-
-          debug { 'You want to receive your personal contest...' }
-
-          if contest.failure?
-            debug { "This credential doesn't have any contest right now." }
-            return Tron.success :not_contested, step: :not_contested
-          end
-
-          if contest.recently_responded
-            debug { 'The current contest has already been responded to' }
-            return Tron.success :contest_responded, step: :contest_solved
-          end
-
-          step = case contest.reason
-                 when :login   then :remote_login
-                 when :support then :support_authentication
-                 else               raise "Unknown contest reason: #{contest.reason}"
-                 end
-
-          debug { 'You have a contest to respond to' }
-          Tron.success :you_are_contested,
-                       ip: contest.ip,
-                       agent: contest.agent.presence,
-                       location: contest.location.presence,
-                       browser_name: contest.browser_name,
-                       platform_name: contest.platform_name,
-                       browser_image_path: contest.browser_image_path,
-                       platform_image_path: contest.platform_image_path,
-                       step:
-        end
-
-        private
-
-        def credential
-          return @credential if defined?(@credential)
-
-          id = request.authentication.credential_id
-          @credential = ::Booth::Models::Credential.find_by(id:)
-        end
-
-        def contest
-          return unless credential
-          return @contest if defined?(@contest)
-
-          @contest = ::Booth::Contests::Get.call(credential_id: credential.id)
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/recoveries/create.rb

@@ -1,48 +0,0 @@
-module Booth
-  module Userland
-    module Recoveries
-      class Create
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_post!
-
-          do_remember_email
-            .on_success { do_create_password_reset }
-        end
-
-        private
-
-        delegate :username, to: :storage, private: true
-
-        def do_remember_email
-          storage.email = ::Booth::Syntaxes::Email.call(email_param).normalized_invalid_email
-
-          Tron.success :remembered_email
-        end
-
-        def do_create_password_reset
-          creation = ::Booth::Recoveries::Create.call(
-            scope:,
-            email: email_param,
-            ip: request.ip
-          )
-
-          creation.on_success do
-            storage.email = nil
-          end
-
-          creation
-        end
-
-        def storage
-          request.storage.recovery
-        end
-
-        def email_param
-          params.require(:recovery).permit(:email)[:email]
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/recoveries/new.rb

@@ -1,35 +0,0 @@
-module Booth
-  module Userland
-    module Recoveries
-      class New
-        include ::Booth::Concerns::Action
-
-        def call
-          request.must_be_get!
-          request.must_be_html!
-
-          if already_logged_in?
-            call_already_logged_in
-          else
-            Tron.failure :enter_email, step: :enter_email, email: storage.email
-          end
-        end
-
-        private
-
-        def call_already_logged_in
-          debug { "Looks like you're already logged in" }
-          Tron.success :logged_in, step: :already_logged_in
-        end
-
-        def already_logged_in?
-          request.authentication.logged_in?
-        end
-
-        def storage
-          request.storage.recovery
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/sessions/transitions/destroy/enter_password.rb

@@ -1,50 +0,0 @@
-module Booth
-  module Userland
-    module Sessions
-      module Transitions
-        module Destroy
-          class EnterPassword
-            include ::Booth::Concerns::Transition
-
-            def self.applicable?(params:)
-              !params[:revocation]
-            end
-
-            def call
-              if sudo.password?
-                if session_id_param
-                  debug { 'Having password sudo, revoking the desired session...' }
-                  return ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
-                                                        session_id: session_id_param
-                else
-                  debug { 'Having password sudo, revoking all other sessions...' }
-                  return ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
-                                                                 surviving_session_id: authentication.session_id
-                end
-              end
-
-              if session_id_param
-                Tron.failure :need_sudo_to_destroy_session,
-                             step: :enter_password_to_destroy,
-                             session_id: session_id_param
-              else
-                Tron.failure :need_sudo_to_destroy_all_other_sessions,
-                             step: :enter_password_to_destroy_all_others
-              end
-            end
-
-            def session_id_param
-              # If params[:id] is a UUID, then it's an ID for a `Booth::Models::Session` in the DB.
-              # If params[:id] is something else, then it's just a WebAuth Ceremony argument.
-              ::Booth::Syntaxes::Uuid.call(request.params[:id], raise_if_invalid: false).uuid
-            end
-
-            delegate :authentication, to: :request
-
-            delegate :sudo, to: :request
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/sessions/transitions/destroy/verify_password.rb

@@ -1,83 +0,0 @@
-module Booth
-  module Userland
-    module Sessions
-      module Transitions
-        module Destroy
-          class VerifyPassword
-            include ::Booth::Concerns::Transition
-
-            def self.applicable?(params:)
-              params.dig(:revocation, :password)
-            end
-
-            def call
-              do_find_credential
-                .on_success { do_revoke_sessions }
-            end
-
-            private
-
-            def do_find_credential
-              @credential = ::Booth::Models::Credential.find_by(id: authentication.credential_id)
-              return Tron.success :found_credential if @credential
-
-              Tron.failure :missing_credential
-            end
-
-            def do_revoke_sessions
-              checking = ::Booth::Credentials::PasswordAuthentication.call(
-                credential: @credential,
-                password: password_param,
-                ip: request.ip,
-                agent: request.agent
-              )
-
-              if checking.success?
-                if session_id_param
-                  debug { 'Having password sudo, revoking the desired session...' }
-                  return ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
-                                                        session_id: session_id_param
-                else
-                  debug { 'Having password sudo, revoking all other sessions...' }
-                  return ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
-                                                                 surviving_session_id: authentication.session_id
-                end
-              end
-
-              public_message = checking.public_message if checking.respond_to?(:public_message)
-
-              if session_id_param
-                Tron.failure :need_sudo_to_destroy_session,
-                             step: :enter_password_to_destroy,
-                             session_id: session_id_param,
-                             public_message: public_message
-              else
-                Tron.failure :need_sudo_to_destroy_all_other_sessions,
-                             step: :enter_password_to_destroy_all_others,
-                             public_message: public_message
-              end
-            end
-
-            def session_id_param
-              # If params[:id] is a UUID, then it's an ID for a `Booth::Models::Session` in the DB.
-              # If params[:id] is something else, then it's just a WebAuth Ceremony argument.
-              ::Booth::Syntaxes::Uuid.call(request.params[:id], raise_if_invalid: false).uuid
-            end
-
-            def password_param
-              request.params.require(:revocation).permit(:password)[:password]
-            end
-
-            def authentication
-              request.authentication
-            end
-
-            def sudo
-              request.sudo
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/userland/webauths/guards/manageable.rb

@@ -1,21 +0,0 @@
-module Booth
-  module Userland
-    module Webauths
-      module Guards
-        class Manageable
-          include ::Booth::Logging
-          include ::Booth::MethodObject
-
-          option :credential
-
-          def call
-            return if ::Booth::Credentials::Modes::WebauthManageable.call(credential)
-
-            debug { 'Webauth is not relevant to this credential' }
-            yield Tron.failure :webauth_not_configurable, public_message: I18n.t('booth.webauth_unavailable')
-          end
-        end
-      end
-    end
-  end
-end

data/lib/booth/webauth/authentication_verification.rb

@@ -1,68 +0,0 @@
-module Booth
-  module Webauth
-    class AuthenticationVerification
-      include ::Booth::MethodObject
-      include ::Booth::Logging
-
-      option :request
-      option :credential_id
-      option :challenge
-
-      def call
-        raise 'this authenticator doesnt match the credential' if credential_id != authenticator.credential_id
-
-        debug do
-          "Verifying using challenge #{challenge.inspect} and public key #{authenticator.public_key.inspect} and sign count #{authenticator.sign_count.inspect}"
-        end
-        webauth.verify(
-          challenge,
-          public_key: authenticator.public_key,
-          sign_count: authenticator.sign_count
-        )
-        debug { 'Response successfully verified' }
-
-        authenticator.update!(sign_count: webauth.sign_count)
-        sudo.webauth!
-
-        Tron.success :webauth_authentication_verification_successful,
-                     credential: authenticator.credential,
-                     public_json: {},
-                     http_status: :created
-      rescue WebAuthn::SignCountVerificationError => e
-        # TODO
-        raise 'implement me, counter differed, not too bad?'
-      rescue WebAuthn::Error => e
-        debug { "Response verification failed: #{e.message}" }
-        # TODO: Audit but don't throttle?
-        Tron.failure :webauth_failed, public_json: {},
-                                      public_message: "Verification failed: #{e.message}",
-                                      http_status: :unprocessable_entity
-      rescue RuntimeError => e
-        # This happens e.g. if the param[:id] does not match the param[:rawId]
-        raise
-      ensure
-        sudo.webauthn_challenge = nil
-      end
-
-      private
-
-      delegate :sudo, to: :request
-
-      def webauth
-        # The route `/things/123` overrides the `param[:id]` with 123.
-        # But thankfully, webauth also sends the rawId, which is identical to the id.
-        # So we override `param[:id]` back to what the webauth JS client sent in.
-        # If we don't do this, the webauth ruby library will raise a RuntimeError,
-        # complaining that the `id` does not match the `rawId`.
-        params_with_correct_id = request.params.dup.merge(id: request.params[:rawId])
-        ::WebAuthn::Credential.from_get(params_with_correct_id)
-      end
-
-      def authenticator
-        device_id = Base64.strict_encode64(webauth.raw_id)
-        @authenticator ||= ::Booth::Models::Authenticator.where(credential_id:)
-                                                         .find_by!(device_id:)
-      end
-    end
-  end
-end

data/lib/booth/webauth/demand_user_verification.rb

@@ -1,29 +0,0 @@
-module Booth
-  module Webauth
-    class DemandUserVerification
-      include ::Booth::MethodObject
-
-      option :credential
-      option :force, default: -> { false }
-
-      def call
-        !!why?
-      end
-
-      private
-
-      def why?
-        return :forced if force.present?
-
-        # From scratch, you only have a username.
-        # Adding webauth in that situation would mean passwordless login.
-        return :first_time_passwordless if credential.mode_first_time?
-
-        # Passwordless always requires verification
-        return :passwordless if credential.mode_username_and_webauth?
-
-        false
-      end
-    end
-  end
-end

data/lib/booth/webauth/options_for_create.rb

@@ -1,46 +0,0 @@
-module Booth
-  module Webauth
-    class OptionsForCreate
-      include ::Booth::MethodObject
-
-      option :webauthn_id
-      option :username
-      option :requires_user_verification
-      option :device_ids_to_exclude, default: -> {}
-
-      def call
-        verify_setup
-
-        ::WebAuthn::Credential.options_for_create(
-          user: {
-            id: webauthn_id,
-            name: username
-            # Also supports `display_name: "..."`
-          },
-          authenticator_selection: { user_verification: },
-          # Use the following instead, if you want to force device-internal authenticators and forbid USB etc.
-          # authenticator_selection: { user_verification:, authenticator_attachment: 'platform' },
-          exclude: device_ids_to_exclude
-        )
-      end
-
-      private
-
-      # See https://caniuse.com/mdn-api_publickeycredentialrequestoptions_userverification
-      # Can be turned off with `:discouraged`
-      def user_verification
-        requires_user_verification ? :required : :discouraged
-      end
-
-      def requires_user_verification?
-        !!requires_user_verification
-      end
-
-      def verify_setup
-        return if WebAuthn.configuration.rp_name.present?
-
-        raise ::Booth::Errors::MissingRelyingParty
-      end
-    end
-  end
-end

data/lib/booth/webauth/options_for_get.rb

@@ -1,29 +0,0 @@
-module Booth
-  module Webauth
-    class OptionsForGet
-      include ::Booth::MethodObject
-
-      option :allowed_device_ids
-      option :requires_user_verification
-
-      def call
-        WebAuthn::Credential.options_for_get(
-          allow: allowed_device_ids,
-          user_verification: user_verification_value
-        )
-      end
-
-      private
-
-      # See https://caniuse.com/mdn-api_publickeycredentialrequestoptions_userverification
-      # Can be turned off with `:discouraged`
-      def user_verification_value
-        requires_user_verification ? :required : :discouraged
-      end
-
-      def requires_user_verification?
-        !!requires_user_verification
-      end
-    end
-  end
-end

data/lib/generators/booth/migration/templates/create_booth_mode_types.erb

@@ -1,20 +0,0 @@
-# Don't change anything in this file.
-
-class CreateBoothModeTypes < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
-  def up
-    execute <<-SQL
-      CREATE TYPE booth_credential_mode AS ENUM
-        ('first_time',
-         'username_and_password',
-         'username_password_and_otp',
-         'username_password_and_webauth',
-         'username_and_webauth');
-    SQL
-  end
-
-  def down
-    execute <<-SQL
-      DROP TYPE booth_credential_mode;
-    SQL
-  end
-end