booth 0.0.1 → 0.0.2

data/lib/booth/core/sessions/to_passport.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Sessions
+      # A Passport is an immutable representation of your current browser-session.
+      # For convenience, we add information about the Credential belonging to that session.
+      class ToPassport
+        include Calls
+        include ::Booth::Logging
+
+        param :session
+
+        def call
+          ::Booth::ToStruct.call(attributes)
+        end
+
+        private
+
+        delegate :credential, to: :session, private: true
+
+        def attributes
+          {
+            username: credential.username,
+            session_id: session.id,
+            credential_id: credential.id,
+            incognito_credential_id: session.incognito_credential_id,
+            blocked: credential.blocked?,
+            revoked: session.revoked_at.present?,
+          }
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/webauth/authentication_verification.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Webauth
+      class AuthenticationVerification
+        include Calls
+        include ::Booth::Logging
+
+        option :request
+        option :credential_id
+        option :challenge
+
+        def call
+          if credential_id != authenticator.credential_id
+            raise 'this authenticator doesnt match the credential'
+          end
+
+          log do
+            "Verifying using challenge #{challenge.inspect} and public key #{authenticator.public_key.inspect} and sign count #{authenticator.sign_count.inspect}"
+          end
+          webauth.verify(
+            challenge,
+            public_key: authenticator.public_key,
+            sign_count: authenticator.sign_count,
+          )
+          log { 'Response successfully verified' }
+
+          authenticator.update!(sign_count: webauth.sign_count)
+          sudo.webauth!
+
+          Tron.success :webauth_authentication_verification_successful,
+                       credential: authenticator.credential,
+                       public_json: {},
+                       http_status: :created
+        rescue WebAuthn::SignCountVerificationError => e
+          log { "Response verification failed: #{e.message} (expected #{authenticator.sign_count})" }
+          # TODO: Audit
+          Tron.failure :webauth_failed, public_json: { public_message: 'Passkey Sign count mismatch.' },
+                                        public_message: "Verification failed: #{e.message}",
+                                        # expected_sign_count: authenticator.sign_count,
+                                        http_status: :unprocessable_entity
+        rescue WebAuthn::Error => e
+          log { "Response verification failed: #{e.message}" }
+          # TODO: Audit but don't throttle?
+          Tron.failure :webauth_failed, public_json: {},
+                                        public_message: "Verification failed: #{e.message}",
+                                        http_status: :unprocessable_entity
+        rescue RuntimeError => e
+          # This happens e.g. if the params[:id] does not match the params[:rawId]
+          raise
+        ensure
+          sudo.webauthn_challenge = nil
+        end
+
+        private
+
+        delegate :sudo, to: :request
+
+        def webauth
+          ::WebAuthn::Credential.from_get(request.params[:handshake], relying_party:)
+        end
+
+        def authenticator
+          device_id = ::WebAuthn.standard_encoder.encode(webauth.raw_id)
+          @authenticator ||= ::Booth::Models::Authenticator.where(credential_id:)
+                                                           .find_by!(device_id:)
+        end
+
+        def relying_party
+          ::Booth.config.relying_party_resolver.call(request:)
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/webauth/options_for_create.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Webauth
+      class OptionsForCreate
+        include Calls
+        include ::Booth::Logging
+
+        option :webauthn_id
+        option :username
+        option :request
+        option :device_ids_to_exclude, default: -> {}
+
+        def call
+          unless relying_party
+            log { "Could not resolve relying party for #{request.host}" }
+            return Tron.failure(:missing_relying_party, challenge: nil, as_json: nil,
+                                                        relying_party_id: nil)
+          end
+
+          options = ::WebAuthn::Credential.options_for_create(
+            user: {
+              id: webauthn_id,
+              name: username,
+              # Some browsers also support `display_name: "..."`
+            },
+            # Tell security key to also send its certificate as so called "attachment".
+            attestation: 'direct',
+            # Completely passwordless authentication should always require interaction/verification.
+            authenticator_selection: { user_verification: :required },
+            relying_party:,
+
+            # The advantage of excluding already registered devices is that we avoid duplicates.
+            # The disadvantage is, when the user manually resets the hardware device.
+            # Then the (now pristine) device cannot be used, because the orphan is still in the DB.
+            # In that case the user has to delete the orphan first, which seems okay.
+            exclude: device_ids_to_exclude,
+          )
+
+          Tron.success(:webauthn_options_for_create, challenge: options.challenge,
+                                                     as_json: options.as_json,
+                                                     relying_party_id: options.relying_party&.id)
+        end
+
+        private
+
+        def relying_party
+          return @relying_party if defined?(@relying_party)
+
+          @relying_party = ::Booth.config.relying_party_resolver.call(request:)
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/webauth/options_for_get.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Webauth
+      class OptionsForGet
+        include Calls
+
+        option :allowed_device_ids
+        option :request
+
+        def call
+          raise 'what' unless relying_party
+
+          WebAuthn::Credential.options_for_get(
+            allow: allowed_device_ids,
+            user_verification: :required,
+            relying_party:,
+          )
+        end
+
+        private
+
+        def relying_party
+          ::Booth.config.relying_party_resolver.call(request:)
+        end
+      end
+    end
+  end
+end

data/lib/booth/core/webauth/provider.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Webauth
+      # Queries the semi-official AAGUID database for passkey vendors.
+      class Provider
+        def self.find(aaguid)
+          attributes = all[aaguid.to_sym]
+          return unless attributes
+
+          attributes.merge!(aaguid:)
+
+          ::Data.define(:aaguid, :name, :icon_dark, :icon_light).new(**attributes)
+        end
+
+        private
+
+        def self.all
+          @all ||= load_aaguids
+        end
+        private_class_method :all
+
+        def self.load_aaguids
+          # This file is downloaded via a rake task from
+          # https://github.com/passkeydeveloper/passkey-authenticator-aaguids
+          path = Pathname.new('../../../../data/combined_aaguid.json').expand_path(__dir__)
+          raise "Missing AAGUIDs file: #{path}" unless path.exist?
+
+          JSON.parse(path.read, symbolize_names: true)
+        end
+        private_class_method :load_aaguids
+      end
+    end
+  end
+end

data/lib/booth/core/webauth/registration_verification.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+module Booth
+  module Core
+    module Webauth
+      # Verifies the ajax-response of a hardware key to a previous challenge.
+      class RegistrationVerification
+        include Calls
+        include ::Booth::Logging
+
+        option :credential_id
+        option :challenge
+        option :handshake
+        option :request
+
+        def call
+          do_verify_response
+            .on_success { do_return_attributes }
+        end
+
+        private
+
+        def do_verify_response
+          log { "Verifying challenge #{challenge.inspect} using handshake #{handshake}" }
+          webauth.verify(challenge)
+          log { 'Response successfully verified' }
+
+          Tron.success :webauth_registration_verification_successful
+        rescue WebAuthn::AttestationStatementVerificationError => e
+          # Only happens when `::WebAuthn.config.verify_attestation_statement = true`
+          log { "Attestation Verification failed - #{e.message}" }
+          Tron.failure :attestation_verification_failed,
+                       public_json: { public_message: 'Attestation Statement Verification failed' },
+                       http_status: :bad_request
+
+        # rescue WebAuthn::SignCountVerificationError => e
+        # At Registration this should never happen.
+        # Because the sign_counter will always be 0 (or 1?).
+        rescue WebAuthn::OriginVerificationError => e
+          log { 'Request must come from allowed origin' }
+          Tron.failure :origin_verification_failed,
+                       http_status: :unprocessable_entity,
+                       public_json: {
+                         public_message: "The origin hostname/port could not be verified (#{e.message})"
+                       }
+        rescue WebAuthn::Error => e
+          log { "Webauth Handshake failed: #{e.message}" }
+          Tron.failure :invalid_challenge_response
+          # TODO: Audit but don't throttle?
+          Tron.failure :webauth_failed,
+                       http_status: :unprocessable_entity,
+                       public_json: {
+                         public_message: "Verification failed: #{e.message}"
+                       }
+        rescue RuntimeError => e
+          # This happens e.g. if the params[:id] does not match the params[:rawId]
+          log { "Registration Verification failed - #{e.class} #{e.message}" }
+          Tron.failure(:registration_verification_failed, http_status: :bad_request,
+                                                          public_json: { public_message: e.message })
+        end
+
+        def do_return_attributes
+          Tron.success :registration_verification_successful,
+                       device_id:,
+                       public_key: webauth.public_key,
+                       attachment: webauth.authenticator_attachment,
+                       sign_count: webauth.sign_count,
+                       aaguid:,
+                       issuer:,
+                       confirmed_at: Time.current
+        end
+
+        def aaguid
+          webauth.response.attestation_object.aaguid
+        end
+
+        def device_id
+          ::WebAuthn.standard_encoder.encode(webauth.raw_id.to_s)
+        end
+
+        def issuer
+          webauth.response
+                 .attestation_object
+                 .attestation_statement
+                 .attestation_certificate
+                 &.subject
+                 &.to_utf8
+        end
+
+        def webauth
+          @webauth ||= ::WebAuthn::Credential.from_create(handshake, relying_party:)
+        end
+
+        def relying_party
+          ::Booth.config.relying_party_resolver.call(request:)
+        end
+      end
+    end
+  end
+end

data/lib/booth/credential.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Booth
+  # Public read-only Model you can call in your Rails app.
+  #
+  # We expose read-only Credentials without associations for DB querying and joins
+  # that the Rails developer might like to perform. E.g. Customer.joins(:credential)
+  # This is the only exception, other records will be queried through Adminland#some_method
+  #
+  # You can join this in your models the usual way:
+  #
+  #   class Customer < ApplicationRecord
+  #     belongs_to :credential, class_name: '::Booth::Credential'
+  #   end
+  #
+  # You can even subclass it:
+  #
+  #   class Credential < Booth::Credential
+  #     has_one :customer, dependent: :nullify
+  #   end
+  #
+  # So that you can run join queries:
+  #
+  #   Credential.where(domain: 'example.com', scope: :community).where.missing(:customer)
+  #
+  # You may also reference this table in migrations:
+  #
+  #   add_foreign_key :customers, :booth_credentials, column: :credential_id, on_delete: :nullify
+  #
+  class Credential < ActiveRecord::Base # rubocop:disable Rails/ApplicationRecord
+    self.table_name = 'booth_credentials'
+
+    after_initialize :readonly!
+  end
+end

data/lib/booth/engine.rb

@@ -1,14 +1,25 @@
+# frozen_string_literal: true
+
 module Booth
+  # The Booth Engine you can use in your Rails app.
   class Engine < ::Rails::Engine
-    initializer 'booth.add_manifest' do |app|
-      app.config.assets.precompile << 'booth_manifest.js'
+    config.autoload_paths << root.join('lib')
+
+    initializer 'booth.importmap', before: 'importmap' do |app|
+      app.config.importmap.paths << Engine.root.join('config/importmap.rb')
+      # Watch JS changes in development
+      app.config.importmap.cache_sweepers << Engine.root.join('app/assets/javascripts')
+    end
+
+    initializer 'booth.assets' do |app|
+      app.config.assets.paths << Engine.root.join('app/javascript')
     end
 
     initializer 'booth.insert_warden_middleware' do |app|
       app.config.middleware.insert_after ::ActionDispatch::Flash, ::Warden::Manager do |manager|
         manager.intercept_401 = false
-        manager.serialize_into_session { ::Booth::Hooks::SerializeIntoSession.call(_1) }
-        manager.serialize_from_session { ::Booth::Hooks::SerializeFromSession.call(_1) }
+        manager.serialize_into_session { ::Booth::Hooks::SerializeIntoSession.call(it) }
+        manager.serialize_from_session { ::Booth::Hooks::SerializeFromSession.call(it) }
       end
     end
 

data/lib/booth/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Errors
     class Error < ::StandardError

data/lib/booth/hooks/after_fetch.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 module Booth
   module Hooks
+    # Once Warden fetched the session from DB, let's check it for authorization.
     class AfterFetch
-      include ::Booth::MethodObject
+      include Calls
       include ::Booth::Logging
 
       option :passport
@@ -9,11 +12,16 @@ module Booth
       option :options
 
       def call
-        if passport.revoked_at
-          debug { "Your session in scope #{scope.inspect} was revoked at #{passport.revoked_at}. Logging you out." }
+        if passport.blocked
+          log { 'Your credential is blocked. Logging you out.' }
+          request.authentication.logout
+
+        elsif passport.revoked
+          log { "Your session in scope #{scope.inspect} was revoked. Logging you out." }
           request.authentication.logout
+
         else
-          debug { "Registering activity of legitimate session in scope #{scope.inspect} with IP #{request.ip}..." }
+          log { "Registering activity of legitimate session in scope #{scope.inspect} with IP #{request.ip}..." }
           register_activity
         end
 
@@ -23,7 +31,7 @@ module Booth
       private
 
       def register_activity
-        ::Booth::Models::Session.where(id: passport.id).update_all(
+        ::Booth::Models::Session.where(id: passport.session_id).update_all(
           ['activity_at = ?, ' \
            'agent = ?, ' \
            'location = ?, ' \
@@ -37,7 +45,7 @@ module Booth
            request.ip,
            request.location,
            request.ip,
-           Time.current.to_i.to_s]
+           Time.current.to_i.to_s],
         )
       end
 

data/lib/booth/hooks/before_logout.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Booth
   module Hooks
     class BeforeLogout
-      include ::Booth::MethodObject
+      include Calls
       include ::Booth::Logging
 
       option :passport
@@ -11,9 +13,9 @@ module Booth
       def call
         return unless passport # Attempting to logout when already logged out.
 
-        debug { "Revoking Session with ID #{passport.id} in scope #{scope.inspect} because of logout" }
+        log { "Revoking Session #{passport.session_id} in scope #{scope.inspect} because of logout" }
 
-        ::Booth::Models::Session.where(id: passport.id)
+        ::Booth::Models::Session.where(id: passport.session_id)
                                 .update_all(revoked_at: Time.current, revoke_reason: :logout)
 
         nil

data/lib/booth/hooks/serialize_from_session.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 module Booth
   module Hooks
+    # Convert what is in the cookie to a session record from the DB.
     class SerializeFromSession
-      include ::Booth::MethodObject
+      include Calls
       include ::Booth::Logging
 
       param :session_id
@@ -9,15 +12,20 @@ module Booth
       def call
         ::Booth::Syntaxes::Uuid.call(session_id, raise_if_invalid: true)
 
-        session = ::Booth::Models::Session.active_scope.find_by(id: session_id)
+        session = ::Booth::Models::Session.active_scope
+                                          .includes_scope
+                                          .find_by(id: session_id)
 
         unless session
-          debug { "Session ID #{session_id.inspect} stored in the cookie, but doesn't exist in the database" }
+          log { "Session ID #{session_id.inspect} stored in cookie doesn't exist in database" }
+
+          # p ::Booth::Models::Session.find_by(id: session_id)
+
           return
         end
 
-        debug { "Deserializing Session #{session_id.inspect} information into Warden..." }
-        ::Booth::Sessions::ToPassport.call(session)
+        log { "Deserializing DB Session #{session_id.inspect} information into Warden cookie..." }
+        ::Booth::Core::Sessions::ToPassport.call(session)
       end
     end
   end

data/lib/booth/hooks/serialize_into_session.rb

@@ -1,13 +1,16 @@
+# frozen_string_literal: true
+
 module Booth
   module Hooks
+    # Persist an authenticated session in the cookie.
     class SerializeIntoSession
-      include ::Booth::MethodObject
+      include Calls
 
       param :passport
 
       def call
-        # This is the ID of the `Booth::Models::Session`.
-        passport.id
+        # This is the ID of the `Booth::Models::Session` record.
+        passport.session_id
       end
     end
   end

data/lib/booth/logging.rb

@@ -1,59 +1,30 @@
+# frozen_string_literal: true
+
 module Booth
   module Logging
     extend ActiveSupport::Concern
 
-    # TODO: Implement only generic `log` method to avoid cluttering the Object where this was included.
-    #       We only use `debug` anyway.
     class_methods do
-      def debug(&)
-        _logger.debug(&)
-      end
-
-      def info(&)
-        _logger.info(&)
-      end
-
-      def warn(&)
-        _logger.warn(&)
-      end
-
-      def error(&)
-        _logger.error(&)
-      end
-
-      def fatal(&)
-        _logger.fatal(&)
+      def log(&)
+        ::Booth.config.logger&.debug(to_s, &)
       end
 
-      def _logger
-        ::Booth::Logger.new(self)
+      def emit(event_name, data = {})
+        # See https://github.com/rails/rails/blob/main/activesupport/lib/active_support/event_reporter.rb
+        ::Rails.event.notify("booth.#{event_name}", data, caller_depth: 2)
+        nil
       end
     end
 
     private
 
-    def debug(&)
-      _logger.debug(&)
-    end
-
-    def info(&)
-      _logger.info(&)
-    end
-
-    def warn(&)
-      _logger.warn(&)
-    end
-
-    def error(&)
-      _logger.error(&)
-    end
-
-    def fatal(&)
-      _logger.fatal(&)
+    def log(&)
+      ::Booth.config.logger&.debug(self.class.to_s, &)
     end
 
-    def _logger
-      @_logger ||= ::Booth::Logger.new(self)
+    def emit(event_name, data = {})
+      ::Rails.event.notify("booth.#{event_name}", data, caller_depth: 2)
+      nil
     end
   end
 end

data/lib/booth/models/application_record.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
 module Booth
   module Models
+    # All ActiveRecord models inherit from this class.
     class ApplicationRecord < ::ActiveRecord::Base
       self.abstract_class = true
     end

data/lib/booth/models/audit.rb

@@ -1,20 +1,19 @@
+# frozen_string_literal: true
+
 module Booth
   module Models
+    # An event log.
     class Audit < ::Booth::Models::ApplicationRecord
       self.table_name = 'booth_audits'
 
-      enum event: { added_otp: 'added_otp',
-                    changed_otp: 'changed_otp',
-                    completed_onboarding: 'completed_onboarding',
-                    entered_correct_password: 'entered_correct_password',
-                    entered_wrong_otp: 'entered_wrong_otp',
-                    entered_wrong_password: 'entered_wrong_password',
-                    logout: 'logout',
-                    queried_unknown_username: 'queried_unknown_username',
-                    requested_password_reset: 'requested_password_reset' },
-           _prefix: true
+      # changed_tenant (payload from: to:)
+      enum :event, %i[
+        completed_onboarding
+        logout
+        registered
+      ].index_with(&:to_s), prefix: true
 
-      belongs_to :credential, class_name: '::Booth::Models::Credential', optional: true
+      belongs_to :credential, optional: true
 
       validates :ip, :event, presence: true