booth 0.0.1 → 0.0.2

data/lib/booth/models/authenticator.rb

@@ -1,22 +1,21 @@
+# frozen_string_literal: true
+
 module Booth
   module Models
+    # A WebAuthn Passkey.
     class Authenticator < ::Booth::Models::ApplicationRecord
-      include ::Booth::Logging
-
       self.table_name = 'booth_authenticators'
 
-      belongs_to :credential, class_name: '::Booth::Models::Credential'
+      belongs_to :credential
 
       validates :credential_id, uniqueness: { scope: :webauthn_id }
       validates :webauthn_id, presence: true, uniqueness: true
       validates :nickname, length: { minimum: 3, maximum: 40 }, allow_blank: true
+      validates :rp_id, presence: true
 
       before_validation :ensure_webauthn_id
-      # before_validation :derive_registration_challenge
-      # before_destroy :keep_at_least_one_authenticator
 
       scope :registered_scope, -> { where.not(confirmed_at: nil) }
-      scope :supports_user_verification_scope, -> { where(supports_user_verification: true) }
       scope :sorted_scope, -> { order(:nickname) }
 
       def generate_webauth_id
@@ -28,13 +27,11 @@ module Booth
       end
 
       def step
-        ::Booth::Authenticators::Step.call(self)
+        ::Booth::Core::Authenticators::Step.call(self)
       end
 
       private
 
-      # delegate :recommended_user_verification, to: :credential
-
       def ensure_webauthn_id
         return if webauthn_id.present?
 

data/lib/booth/models/credential.rb

@@ -1,41 +1,38 @@
+# frozen_string_literal: true
+
 module Booth
   module Models
+    # Essentially the username for logging in.
     class Credential < ::Booth::Models::ApplicationRecord
-      include ::Booth::Models::Concerns::Modeable
-      include ::Booth::Models::Concerns::Passwordable
-      include ::Booth::Models::Concerns::Otpable
-
       self.table_name = 'booth_credentials'
 
-      has_one :contest, dependent: :destroy
       has_one :onboarding, dependent: :destroy
+      has_one :remote, dependent: :destroy
 
       has_many :audits, dependent: :destroy
       has_many :authenticators, dependent: :destroy
-      has_many :password_resets, dependent: :destroy
       has_many :sessions, dependent: :destroy
 
+      before_validation :normalize_domain
       before_validation :normalize_username
       before_validation :normalize_scope
-      before_validation :stringify_allowed_modes
 
-      validates :username, :scope, :allowed_modes, :mode, presence: true
-      validates :username, uniqueness: { scope: :scope }
+      validates :domain, :scope, :username, presence: true
+      validates :username, uniqueness: true
 
-      validates_each :allowed_modes do |record, attr, value|
-        record.errors.add(attr, 'is invalid') unless value.all? { modes.keys.include?(_1) }
+      scope :sorted_scope, -> { order(:username) }
+
+      def blocked?
+        blocked_at.present?
       end
 
       def remote_session_available?
         sessions.active_scope.any?
       end
 
-      def applicable_for_password_reset?
-        mode_username_and_password? ||
-          mode_username_password_and_otp? ||
-          mode_username_password_and_webauth?
+      def registered_authenticators?
+        registered_authenticator_ids.any?
       end
-      alias passworded? applicable_for_password_reset?
 
       def registered_authenticator_ids
         authenticators.registered_scope
@@ -45,16 +42,16 @@ module Booth
 
       private
 
-      def normalize_username
-        self.username = ::Booth::Syntaxes::Username.call(username).normalized_username
+      def normalize_domain
+        self.domain = ::Booth::Syntaxes::Domain.call(domain).valid_domain
       end
 
       def normalize_scope
         self.scope = ::Booth::Syntaxes::Scope.call(scope).normalized_scope
       end
 
-      def stringify_allowed_modes
-        self.allowed_modes = Array(allowed_modes).map(&:to_s)
+      def normalize_username
+        self.username = ::Booth::Syntaxes::Username.call(username).normalized_username
       end
     end
   end

data/lib/booth/models/onboarding.rb

@@ -1,60 +1,37 @@
+# frozen_string_literal: true
+
 module Booth
   module Models
+    # Log in via a special URL, forcing you to delete all your existing authenticators.
     class Onboarding < ::Booth::Models::ApplicationRecord
-      include ::Booth::Logging
-      include ::Booth::Models::Concerns::Modeable
-      include ::Booth::Models::Concerns::Passwordable
-      include ::Booth::Models::Concerns::Otpable
-
       self.table_name = 'booth_onboardings'
 
-      belongs_to :credential, class_name: '::Booth::Models::Credential'
+      belongs_to :credential
 
       validates :credential_id, uniqueness: true
-      validates :webauthn_id, presence: true
-      validates :authenticator_nickname, length: { minimum: 3, maximum: 40 }, allow_blank: true
-
-      before_validation :ensure_webauthn_id
 
       # See https://github.com/rails/rails/blob/main/activerecord/lib/active_record/secure_token.rb
       has_secure_token :secret_key, length: 30
-      delegate :allowed_modes, :scope, :username, to: :credential
-
-      attr_accessor :otp_confirmation
+      delegate :domain, :scope, :username, to: :credential
 
       scope :includes_scope, -> { includes(:credential) }
       scope :sorted_scope, -> { order(:created_at) }
 
-      def step
-        ::Booth::Onboardings::Step.call(self)
-      end
-
-      def lifetime
-        ::Booth.config.onboarding_window
-      end
-
-      def completed?
-        step == :completed
-      end
-
-      def authenticator?
-        authenticator_public_key.present?
+      # Distinguish "first time onboarding" from high-stakes "I lost my authenticator".
+      def lifespan
+        if credential.authenticators.any?
+          12.hours
+        else
+          1.week
+        end
       end
 
-      def propagated?
-        propagated_at.present?
+      def consumed?
+        consumed_at.present?
       end
 
-      def recently_created?
-        created_at > lifetime.ago
-      end
-
-      private
-
-      def ensure_webauthn_id
-        return if webauthn_id.present?
-
-        self.webauthn_id = ::WebAuthn.generate_user_id
+      def timed_out?
+        created_at < lifespan.ago
       end
     end
   end

data/lib/booth/models/{contest.rb → remote.rb}

@@ -1,21 +1,24 @@
+# frozen_string_literal: true
+
 module Booth
   module Models
-    class Contest < ::Booth::Models::ApplicationRecord
-      self.table_name = 'booth_contests'
+    # Login remotely by entering a code in the browser of an existing session.
+    class Remote < ::Booth::Models::ApplicationRecord
+      self.table_name = 'booth_remotes'
 
       belongs_to :credential
 
       before_validation :ensure_code
       before_validation :update_location
 
-      validates :credential_id, :code, :ip, presence: true
       validates :credential_id, uniqueness: true
-      validates :reason, presence: true, inclusion: %w[login support]
+      validates :code, :ip, presence: true
 
-      scope :recently_created_scope, -> { ::Booth::Models::Contests::Scopes::RecentlyCreated.scope(self) }
-      scope :recently_responded_scope, -> { ::Booth::Models::Contests::Scopes::RecentlyResponded.scope(self) }
+      scope :recently_created_scope, -> { ::Booth::Models::Remotes::Scopes::RecentlyCreated.scope(self) }
 
-      delegate :browser_name, :platform_name, :browser_image_path, :platform_image_path, to: :user_agent
+      delegate :browser_name, :platform_name, :browser_image_path, :platform_image_path,
+               to: :user_agent
+      delegate :lifespan, to: :class
 
       def self.lifespan
         ::Booth.config.interaction_timeout
@@ -26,15 +29,11 @@ module Booth
       end
 
       def recently_created?
-        ::Booth::Models::Contests::Scopes::RecentlyCreated.call(self)
+        ::Booth::Models::Remotes::Scopes::RecentlyCreated.call(self)
       end
 
       def recently_responded?
-        ::Booth::Models::Contests::Scopes::RecentlyResponded.call(self)
-      end
-
-      def lifespan
-        self.class.lifespan
+        ::Booth::Models::Remotes::Scopes::RecentlyResponded.call(self)
       end
 
       private
@@ -44,7 +43,7 @@ module Booth
       end
 
       def update_location
-        self.location = ::Booth::Geolocation.lookup(ip)
+        self.location = ::Booth::Core::Geolocation.lookup(ip)
       end
 
       def user_agent

data/lib/booth/models/remotes/scopes/recently_created.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Booth
+  module Models
+    module Remotes
+      module Scopes
+        # Determines if a Remote was created recently.
+        class RecentlyCreated
+          include Calls
+
+          param :remote
+
+          def self.scope(base)
+            base.where.not(created_at: nil)
+                .where('created_at > ?', ::Booth::Models::Remote.lifespan.ago)
+          end
+
+          def call
+            remote.created_at.present? &&
+              remote.created_at > ::Booth::Models::Remote.lifespan.ago
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/models/remotes/scopes/recently_responded.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Booth
+  module Models
+    module Remotes
+      module Scopes
+        class RecentlyResponded
+          include Calls
+
+          param :remote
+
+          def self.scope(base)
+            base.where.not(created_at: nil)
+                .where.not(responded_at: nil)
+                .where('created_at > ?', lifespan.ago)
+                .where('responded_at > ?', lifespan.ago)
+          end
+
+          def call
+            remote.created_at.present? &&
+              remote.responded_at.present? &&
+              remote.created_at > lifespan.ago &&
+              remote.responded_at > lifespan.ago
+          end
+
+          private
+
+          def lifespan
+            remote.class.lifespan
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/models/session.rb

@@ -1,28 +1,33 @@
+# frozen_string_literal: true
+
 module Booth
   module Models
+    # Essentially the session Cookie in one Browser.
     class Session < ::Booth::Models::ApplicationRecord
       self.table_name = :booth_sessions
 
-      def self.lifetime
-        ::Booth.config.session_inactivity_lifetime
-      end
-
-      belongs_to :credential, class_name: '::Booth::Models::Credential'
+      belongs_to :credential
 
       before_create :ensure_activity_at
       before_create :denormalize_and_geolocate_ip
 
       # First of all it has to be not deleted, but also it must not be way too old.
-      scope :active_scope, -> { where(revoked_at: nil).where('activity_at > ?', lifetime.ago) }
+      scope :active_scope, -> { where(revoked_at: nil).where('activity_at > ?', lifespan.ago) }
       scope :owned_by_scope, lambda { |credential_id:|
         active_scope.where('credential_id = ? OR incognito_credential_id = ?', credential_id, credential_id)
       }
+      scope :includes_scope, -> { includes(:credential) }
       scope :sorted_scope, -> { order(activity_at: :desc) }
 
-      delegate :browser_name, :platform_name, :browser_image_path, :platform_image_path, to: :user_agent
+      delegate :browser_name, :platform_name, :browser_image_path, :platform_image_path,
+               to: :user_agent
+
+      def self.lifespan
+        ::Booth.config.session_inactivity_lifetime
+      end
 
       def historical_location_names
-        ::Booth::Sessions::HistoricalLocations.call(self)
+        ::Booth::Core::Sessions::HistoricalLocations.call(self)
       end
 
       private
@@ -31,10 +36,10 @@ module Booth
         self.activity_at = Time.current
       end
 
-      # These attributes are later updated via SQL.
+      # These attributes are later set via SQL.
       # This method here only sets the initial state.
       def denormalize_and_geolocate_ip
-        self.location = ::Booth::Geolocation.lookup(most_recent_ip)
+        self.location = ::Booth::Core::Geolocation.lookup(most_recent_ip)
         self.historical_locations = { most_recent_ip => location }
         self.historical_ips = { most_recent_ip => Time.current.to_i }
       end

data/lib/booth/models/user_agent.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Models
     class UserAgent

data/lib/booth/request.rb

@@ -1,30 +1,55 @@
+# frozen_string_literal: true
+
 module Booth
-  # Convenience wrapper for `Rack::Request`.
+  # Convenience wrapper for Rack::Request.
   class Request
     include ::Booth::Logging
-
-    # Can be used as a DRY::Initializer Coercer.
-    # See https://dry-rb.org/gems/dry-initializer/master/type-constraints/#back-references
-    def self.call(request, initializer)
-      # `request` is an `ActionDispatch::Request` or a `Rack::Request`.
-      # But if it already has been coerced, just return it immediately.
-      # This makes it easier to pass the request from one MethodObject to another.
-      return request if request.is_a?(self)
-
-      # `initializer` is an instance that is trying to coerce one of its params into a `Booth::Request`.
-      # By convention, that's where we assume the scope to be specified. So we take it from there.
-      new(request:, scope: initializer.scope)
-    end
-
+    # Initializes a new Booth::Request instance.
+    #
+    # **Parameters:**
+    #
+    # - `:request` - The request object (`ActionDispatch::Request`, `Rack::Request`, or
+    #                +Booth::Request+).
+    #
+    # - `scope` - The controller scope identifier (Symbol).
     def initialize(request:, scope:)
-      request = ActionDispatch::Request.new(request.env) if request.is_a?(Rack::Request)
+      # Sometimes we pass the request instance from one `Calls` object to another.
+      # In that case, unwrap the underlying request and take that as basis.
+      # if request.is_a?(::Booth::Request)
+      #   return request if request.scope == scope
+      #   #request = request.send(:request)
+      # end
+
+      # The underlying `request` is an `ActionDispatch::Request` or a `Rack::Request`.
+      # For consistency, we always convert to the more rich interface provided by Rails.
+      request = ActionDispatch::Request.new(request.env) if request.is_a?(::Rack::Request)
 
       @request = request
       @scope = ::Booth::Syntaxes::Scope.call(scope).normalized_scope
     end
 
+    # A Controller that logs the user in, needs to know in which scope to login to.
+    # The +scope+ is an authoritative way for the Rails developer to specify a dedicated area.
+    #
+    # For example:
+    #
+    # ```ruby
+    # Booth::Userland.new_login(scope: :admin, ...)
+    # Booth::Userland.new_login(scope: :guest, ...)
+    # ```
+    #
+    # The implementation could then check if a user is already logged in in that
+    # +scope+, while ignoring other scopes.
+    #
+    # For convenience, we store the authoritative controller +scope+ here, in the request wrapper.
     attr_reader :scope
 
+    delegate :port, to: :request
+
+    def host
+      ::Booth::Syntaxes::Domain.call(request.host).valid_domain
+    end
+
     def agent
       ::Booth::Requests::Agent.call(request:)
     end
@@ -34,7 +59,7 @@ module Booth
     end
 
     def location
-      ::Booth::Geolocation.lookup(ip)
+      ::Booth::Core::Geolocation.lookup(ip)
     end
 
     def authentication
@@ -64,14 +89,10 @@ module Booth
       ::Booth::Requests::ReturnPath.call(params:)
     end
 
-    # ------------
-    # Requirements
-    # ------------
-
     def must_be_logged_in!
       return if authentication.logged_in?
 
-      debug { "Expected someone to be logged in in scope #{scope.inspect}" }
+      log { "Expected someone to be logged in in scope #{scope.inspect}" }
       raise ::Booth::Errors::NotAuthenticated
     end
 

data/lib/booth/requests/agent.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     class Agent
-      include ::Booth::MethodObject
+      include Calls
 
       option :request
 

data/lib/booth/requests/authentication.rb

@@ -1,7 +1,11 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     # Convenience wrapper for `Warden::Manager`.
     class Authentication
+      include ::Booth::Logging
+
       delegate :username, :credential_id, :mode,
                to: :passport,
                allow_nil: true
@@ -12,17 +16,23 @@ module Booth
       end
 
       def login(session:)
-        # Whatever instance we pass in to Warden,
-        # it needs to be that, which we also want do get out.
-        # Because serialization only takes place for the *next* request.
+        log { "Persisting Session in Cookie for scope #{scope}" }
+        # Warden's serialization mechanism only takes place for the *next* request.
         # In the *same* request, whatever we pass in, is returned back as it is.
-        warden.set_user ::Booth::Sessions::ToPassport.call(session), scope:
+        # That's why we don't pass in some ID here, but the entire Passport object
+        # (which is that what we normally would receive by Warden's deserialization).
+        warden.set_user ::Booth::Core::Sessions::ToPassport.call(session), scope:
       end
 
       def logged_in?
+        log { "Checking whether logged in in scope #{scope}" }
         warden.authenticated?(scope)
       end
 
+      def logged_out?
+        !logged_in?
+      end
+
       def logged_in_as?(credential:)
         logged_in? && credential.id == credential_id
       end
@@ -32,7 +42,7 @@ module Booth
       end
 
       def session_id
-        passport&.id
+        passport&.session_id
       end
 
       private

data/lib/booth/requests/ip.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     class Ip
-      include ::Booth::MethodObject
+      include Calls
 
       option :request
       option :raise_if_invalid, default: -> { true }
@@ -10,7 +12,7 @@ module Booth
         check = ::Booth::Syntaxes::Ip.call(raw_ip)
         check.on_success { return check.normalized_ip }
 
-        raise ArgumentError "Invalid IP: #{raw_ip.inspect}" if raise_if_invalid
+        raise ArgumentError, "Invalid IP: #{raw_ip.inspect}" if raise_if_invalid
 
         check
       end

data/lib/booth/requests/return_path.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     class ReturnPath
-      include ::Booth::MethodObject
+      include Calls
       include ::Booth::Logging
 
       option :params
@@ -20,7 +22,7 @@ module Booth
         # We always assume it is a full path and fix any missing beginning slash.
         result.starts_with?('/') ? result : result.prepend('/')
       rescue URI::InvalidURIError
-        debug { "Invalid return path: #{raw_return_path.inspect}" } if raw_return_path
+        log { "Invalid return path: #{raw_return_path.inspect}" } if raw_return_path
         nil
       end
 

data/lib/booth/requests/session.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     # Convenience wrapper for `ActionDispatch::Session::CookieStore`.
@@ -41,11 +43,11 @@ module Booth
       end
 
       def reset
-        debug { "Resetting #{namespace.inspect} cookie data in scope #{scope.inspect}" }
+        log { "Resetting #{namespace.inspect} cookie data in scope #{scope.inspect}" }
 
         # There is no `#delete_if` in a `ActionDispatch::Request::Session`.
-        keys_to_delete = session.keys.select { _1.to_s.start_with?(path(nil)) }
-        keys_to_delete.each { session.delete(_1) }
+        keys_to_delete = session.keys.select { it.to_s.start_with?(path(nil)) }
+        keys_to_delete.each { session.delete(it) }
       end
 
       # -----
@@ -89,7 +91,7 @@ module Booth
       def reset_if_too_old!
         return if seconds_until_auto_reset.positive?
 
-        debug do
+        log do
           "Timeout-resetting #{namespace.inspect} cookie data in scope #{scope.inspect} " \
             "because it is older than #{lifespan} seconds"
         end

data/lib/booth/requests/storage.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Booth
   module Requests
     class Storage
@@ -10,53 +12,25 @@ module Booth
 
       def login
         @login ||= ::Booth::Requests::Storages::Login.new(
-          session: request.session(namespace: :login)
-        )
-      end
-
-      def otp
-        @otp ||= ::Booth::Requests::Storages::Otp.new(
-          session: request.session(namespace: :otp)
+          session: request.session(namespace: :login),
         )
       end
 
       def webauth
         @webauth ||= ::Booth::Requests::Storages::Webauth.new(
-          session: request.session(namespace: :webauth)
-        )
-      end
-
-      def password
-        @password ||= ::Booth::Requests::Storages::Password.new(
-          session: request.session(namespace: :password)
-        )
-      end
-
-      def password_reset
-        @password_reset ||= ::Booth::Requests::Storages::PasswordReset.new(
-          session: request.session(namespace: :password_reset)
-        )
-      end
-
-      def recovery
-        @recovery ||= ::Booth::Requests::Storages::Recovery.new(
-          session: request.session(namespace: :recovery)
+          session: request.session(namespace: :webauth),
         )
       end
 
       def registration
         @registration ||= ::Booth::Requests::Storages::Registration.new(
-          session: request.session(namespace: :registration)
+          session: request.session(namespace: :registration),
         )
       end
 
       private
 
       attr_reader :scope, :request
-
-      def session
-        request.session(namespace: :sudo)
-      end
     end
   end
 end