booth 0.0.1 → 0.0.2

data/lib/booth/core/credentials/find_by_username.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Credentials
+      # Returns Tron Data
+      #
+      # Success and Failure always include:
+      #   normalized_username
+      #   normalized_invalid_username
+      #
+      # Success additionally includes:
+      #   credential
+      #
+      # Failure additionally includes:
+      #   public_message
+      #
+      class FindByUsername
+        include ::Booth::Logging
+        include Calls
+
+        option :username
+
+        def call
+          do_check_username_syntax
+            .on_success { do_find_credential }
+        end
+
+        private
+
+        attr_accessor :normalized_username, :normalized_invalid_username
+
+        def do_check_username_syntax
+          checking = ::Booth::Syntaxes::Username.call(username)
+          self.normalized_username = checking.normalized_username
+          self.normalized_invalid_username = checking.normalized_invalid_username
+
+          checking
+        end
+
+        def do_find_credential
+          if credential
+            Tron.success(:found_existing_credential, credential:,
+                                                     normalized_username:,
+                                                     normalized_invalid_username:)
+          else
+            Tron.failure :credential_not_found, normalized_username:,
+                                                normalized_invalid_username:,
+                                                public_message: I18n.t('booth.unknown_username')
+          end
+        end
+
+        # Helpers
+
+        def credential
+          return @credential if defined?(@credential)
+
+          @credential = ::Booth::Models::Credential.find_by(username: normalized_username)
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/credentials/index.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Credentials
+      class Index
+        include Calls
+
+        option :domain
+
+        def call; end
+      end
+    end
+  end
+end

data/lib/booth/core/credentials/webauth_challenge.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Credentials
+      # See https://github.com/cedarcode/webauthn-rails-demo-app/blob/d9b73e20a7272e8d9f7a26c48ec49e5100295939/app/controllers/sessions_controller.rb#L7-L23
+      class WebauthChallenge
+        include ::Booth::Logging
+        include Calls
+
+        option :credential
+        option :request
+
+        def call
+          return Tron.failure :missing_credential, challenge: nil if credential.nil?
+
+          if credential.registered_authenticator_ids.blank?
+            return Tron.failure :no_known_authenticators,
+                                challenge: nil
+          end
+
+          Tron.success :here_is_your_challenge, options_for_get: options_for_get.to_json,
+                                                challenge: options_for_get.challenge
+        end
+
+        private
+
+        def options_for_get
+          @options_for_get ||= ::Booth::Core::Webauth::OptionsForGet.call(
+            allowed_device_ids: credential.registered_authenticator_ids,
+            request:,
+          )
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/geolocation.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Geolocation
+      def self.lookup(ip)
+        return 'localhost' if ['127.0.0.1', '::1'].include?(ip.to_s)
+        return unless defined?(::DbipUtil)
+
+        record = ::DbipUtil::City.get(ip.to_s)
+        return unless record
+
+        record['city']['names']['de'] ||
+          record['city']['names']['en'] ||
+          record['subdivisions']['names']['de'] ||
+          record['subdivisions']['names']['en'] ||
+          record['country']['names']['de'] ||
+          record['country']['names']['en']
+
+      rescue IPAddr::InvalidAddressError
+        nil
+      end
+    end
+  end
+end

data/lib/booth/core/onboardings/find.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Onboardings
+      class Find
+        include ::Booth::Logging
+        include Calls
+
+        option :domain
+        option :scope
+        option :secret_key
+        option :consumed
+
+        def call
+          do_check_domain_syntax
+            .on_success { do_check_scope_syntax }
+            .on_success { do_check_secret_key_syntax }
+            .on_success { do_find_onboarding }
+            .on_success { do_compare_domain }
+            .on_success { do_compare_scope }
+            .on_success { do_check_consummation }
+            .on_success { do_check_blockage }
+            .on_success { do_check_timeout }
+            .on_success { do_return_result }
+        end
+
+        private
+
+        attr_accessor :onboarding
+
+        def do_check_domain_syntax
+          ::Booth::Syntaxes::Domain.call(domain)
+        end
+
+        def do_check_scope_syntax
+          ::Booth::Syntaxes::Scope.call(scope)
+        end
+
+        def do_check_secret_key_syntax
+          ::Booth::Syntaxes::SecretKey.call(secret_key)
+        end
+
+        def do_find_onboarding
+          self.onboarding = ::Booth::Models::Onboarding.joins(:credential).find_by(secret_key:)
+
+          if onboarding
+            log { "Found Onboarding with ID #{onboarding.id.inspect} for secret key #{secret_key}" }
+            return Tron.success(:found_onboarding_for_key)
+          end
+
+          log { "Could not find Onboarding with secret key #{secret_key.inspect}" }
+          Tron.failure :onboarding_not_found, public_message: I18n.t('booth.unknown_secret_key')
+        end
+
+        def do_compare_domain
+          ::Booth::Comparisons::Domain.call(actual: domain, expected: onboarding.domain)
+        end
+
+        def do_compare_scope
+          ::Booth::Comparisons::Scope.call(actual: onboarding.scope, expected: scope)
+        end
+
+        def do_check_consummation
+          return Tron.success :onboarding_consummation_ignored if consumed == :any
+          return Tron.success :onboarding_matches_consumed if consumed && onboarding.consumed?
+          return Tron.success :onboarding_matches_unconsumed if !consumed && !onboarding.consumed?
+
+          Tron.failure(:onboarding_consummation_mismatch, expected: consumed,
+                                                          actual: onboarding.consumed?)
+        end
+
+        def do_check_blockage
+          return Tron.success(:credential_not_blocked) unless onboarding.credential.blocked?
+
+          Tron.failure :credential_blocked, public_message: I18n.t('booth.administratively_blocked')
+        end
+
+        def do_check_timeout
+          return Tron.success(:onboarding_recently_created) unless onboarding.timed_out?
+
+          public_message = I18n.t('booth.onboarding_timeout', lifespan_hours: onboarding.lifespan.seconds / 60 / 60)
+          Tron.failure :onboarding_outdated, public_message:
+        end
+
+        def do_return_result
+          Tron.success(:found_onboarding, onboarding:)
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/onboardings/step.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Onboardings
+      class Step
+        include Calls
+
+        option :onboarding
+        option :request
+
+        def call
+         return :not_found unless onboarding
+
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/remotes/get.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Remotes
+      # Retrieves the current Remote for a Credential.
+      class Get
+        include Calls
+        include ::Booth::Logging
+
+        option :credential_id
+
+        def call
+          return Tron.failure :remote_not_found unless remote
+
+          Tron.success(:found_recent_remote, **attributes)
+        end
+
+        private
+
+        def remote
+          return @remote if defined?(@remote)
+
+          @remote = ::Booth::Models::Remote.recently_created_scope
+                                           .find_by(credential_id:)
+        end
+
+        def attributes # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
+          {
+            formatted_code: remote.formatted_code,
+            normalized_code: remote.code,
+            ip: remote.ip,
+            agent: remote.agent.presence,
+            location: remote.location.presence,
+            recently_responded: remote.recently_responded?,
+            browser_name: remote.browser_name,
+            platform_name: remote.platform_name,
+            browser_image_path: remote.browser_image_path,
+            platform_image_path: remote.platform_image_path
+          }
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/remotes/respond.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Remotes
+      class Respond
+        include ::Booth::Logging
+        include Calls
+
+        option :scope
+        option :remote
+        option :request
+
+        def call
+          do_find_remote
+            .on_success { do_check_timeout }
+            .on_success { do_check_scope }
+            .on_success { do_check_already_responded }
+            .on_success { do_check_code_syntax }
+            .on_success { do_respond }
+        end
+
+        private
+
+        delegate :credential, to: :remote, private: true
+
+        def do_find_remote
+          return Tron.success :remote_exists if remote
+
+          Tron.failure :missing_remote
+        end
+
+        def do_check_timeout
+          return Tron.success :remoteed_recently if remote.recently_created?
+
+          log { 'This remote timed out' }
+          Tron.failure :remote_timed_out,
+                       lifespan: remote.lifespan,
+                       public_message: I18n.t('booth.remote_timed_out',
+                                              lifespan_minutes: remote.lifespan.seconds / 60)
+        end
+
+        def do_check_scope
+          ::Booth::Comparisons::Scope.call expected: scope, actual: credential.scope
+        end
+
+        def do_check_already_responded
+          return Tron.success :ok_waiting_for_response if remote.responded_at.blank?
+
+          log { "This remote has already been responded to #{remote.responded_at.inspect}" }
+          Tron.failure :already_responded,
+                       public_message: I18n.t('booth.already_responded_to_remote')
+        end
+
+        def do_check_code_syntax
+          check = ::Booth::Syntaxes::RemoteCode.call(code_param)
+
+          check.on_success do
+            @normalized_code = check.normalized_remote_code
+          end
+
+          check
+        end
+
+        def do_respond
+          if @normalized_code == remote.code
+            log { "The code #{@normalized_code} was accepted, persisting positive response..." }
+            remote.update!(responded_at: Time.current)
+            return Tron.success :response_code_accepted,
+                                public_message: I18n.t('booth.remote_response_accepted')
+          end
+
+          Tron.failure :wrong_code, public_message: I18n.t('booth.wrong_response_code')
+        end
+
+        def code_param
+          request.params.expect(remote_login: [:code])[:code]
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/remotes/set_for_login.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Remotes
+      class SetForLogin
+        include ::Booth::Logging
+        include Calls
+
+        option :credential_id
+        option :request
+
+        def call
+          remote = nil
+
+          ::Booth::Models::ApplicationRecord.transaction do
+            ::Booth::Models::Remote.where(credential_id:).delete_all
+
+            remote = ::Booth::Models::Remote.create!(
+              credential_id:,
+              ip: request.ip,
+              agent: request.agent,
+            )
+          end
+
+          Tron.success :remote_created, remote:
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/sessions/create_and_login.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Sessions
+      class CreateAndLogin
+        include Calls
+        include ::Booth::Logging
+
+        option :domain
+        option :scope
+        option :credential
+        option :request, ::Booth::Coercers::Request
+
+        def call
+          do_compare_domain
+            .on_success { do_compare_scope }
+            .on_success { do_create_session }
+            .on_success { do_login }
+        end
+
+        private
+
+        attr_accessor :session
+
+        def do_compare_domain
+          ::Booth::Comparisons::Domain.call(actual: domain, expected: credential.domain)
+        end
+
+        def do_compare_scope
+          ::Booth::Comparisons::Scope.call(actual: scope, expected: credential.scope)
+        end
+
+        def do_create_session
+          log { "Creating new Session for credential ID #{credential.id}" }
+          self.session = ::Booth::Models::Session.create! credential:,
+                                                          agent: request.agent,
+                                                          most_recent_ip: request.ip
+          Tron.success :session_created
+        end
+
+        def do_login
+          request.authentication.login(session:)
+
+          # Consume everything that led up to this authentication to avoid re-authentication.
+          # If we don't reset the cookie here, the "remote login flow" could log you right back in.
+          login_storage.reset
+          registration_storage.reset
+
+          Tron.success :session_created_and_logged_in, return_path: request.return_path
+        end
+
+        def login_storage
+          request.storage.login
+        end
+
+        def registration_storage
+          request.storage.registration
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/sessions/historical_locations.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Sessions
+      class HistoricalLocations
+        include Calls
+
+        param :session
+
+        # TODO: Show IPs for cities that are different from the most recent IP.
+        def call
+          return if historical_locations.values.blank?
+
+          historical_locations.values.reject { it == location }.uniq.sort.join(', ').presence
+        end
+
+        delegate :location, :historical_locations, to: :session, private: true
+      end
+    end
+  end
+end

data/lib/booth/core/sessions/index.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Sessions
+      class Index
+        EXPOSED_ATTRIBUTE_NAMES = %i[
+          id
+          activity_at
+          created_at
+          agent
+          most_recent_ip
+          historical_ips
+          location
+          historical_location_names
+          browser_name
+          platform_name
+          browser_image_path
+          platform_image_path
+        ].freeze
+        private_constant :EXPOSED_ATTRIBUTE_NAMES
+
+        include Calls
+
+        option :credential_id
+        option :current_session_id
+
+        def call
+          # Booth currently doesn't perform pagination.
+          # To avoid an attacking vector that could bring our database down,
+          # we simply pull the handbrake when trying to fetch too many sessions.
+          # Nobody should have that many active concurrent sessions.
+          if base_scope.count > max_allowed_sessions
+            raise "Too many sessions for Credential ID #{credential_id}"
+          end
+
+          base_scope.map do |session|
+            ::Booth::ToStruct.call(exposed_attributes(session))
+          end
+        end
+
+        private
+
+        def exposed_attributes(session)
+          result = { is_current: current_session_id == session.id }
+
+          EXPOSED_ATTRIBUTE_NAMES.each do |attribute|
+            result[attribute] = session.public_send(attribute)
+          end
+
+          result
+        end
+
+        def base_scope
+          ::Booth::Models::Session.active_scope
+                                  .sorted_scope
+                                  .owned_by_scope(credential_id:)
+        end
+
+        def max_allowed_sessions
+          500
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/sessions/revoke.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Sessions
+      class Revoke
+        include Calls
+        include ::Booth::Logging
+
+        option :credential_id
+        option :session_id
+
+        def call
+          do_check_id_syntax
+            .on_success { do_revoke_session }
+        end
+
+        private
+
+        def do_check_id_syntax
+          ::Booth::Syntaxes::Uuid.call(credential_id, raise_if_invalid: true)
+          ::Booth::Syntaxes::Uuid.call(session_id, raise_if_invalid: true)
+
+          Tron.success :valid_session_id_syntax
+        end
+
+        def do_revoke_session
+          unless session
+            log do
+              "Session #{session_id.inspect} not found for credential #{credential_id.inspect}"
+            end
+            return Tron.success :session_not_found
+          end
+
+          if session.revoked_at.present?
+            log { "Session #{session.id.inspect} is already revoked." }
+            return Tron.success :already_revoked,
+                                public_message: I18n.t('booth.session_revoked',
+                                                       ip: session.most_recent_ip)
+          end
+
+          log { "Revoking Session #{session.id.inspect}" }
+          session.update! revoked_at: Time.current,
+                          revoke_reason: :manual
+
+          Tron.success :session_revoked,
+                       public_message: I18n.t('booth.session_revoked', ip: session.most_recent_ip)
+        end
+
+        def session
+          return @session if defined?(@session)
+
+          @session = ::Booth::Models::Session.where(credential_id:)
+                                             .find_by(id: session_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/sessions/revoke_all_others.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Sessions
+      class RevokeAllOthers
+        include Calls
+
+        option :credential_id
+        option :surviving_session_id
+
+        def call
+          do_check_id_syntax
+            .on_success { do_revoke_all_other_session }
+        end
+
+        private
+
+        def do_check_id_syntax
+          ::Booth::Syntaxes::Uuid.call(credential_id, raise_if_invalid: true)
+          ::Booth::Syntaxes::Uuid.call(surviving_session_id, raise_if_invalid: true)
+
+          Tron.success :valid_session_id_syntax
+        end
+
+        def do_revoke_all_other_session
+          if sessions.blank?
+            return Tron.success :nothing_to_revoke,
+                                public_message: I18n.t('booth.all_other_sessions_revoked')
+          end
+
+          # Preferring speed. Because if there are many we don't want the page to hang.
+          sessions.update_all revoked_at: Time.current,
+                              revoke_reason: :manual_all_others
+
+          Tron.success :other_sessions_revoked,
+                       public_message: I18n.t('booth.all_other_sessions_revoked')
+        end
+
+        def sessions
+          return @sessions if defined?(@sessions)
+
+          @sessions = ::Booth::Models::Session.where(credential_id:)
+                                              .where.not(id: surviving_session_id)
+        end
+      end
+    end
+  end
+end