booth 0.0.1

data/lib/booth/syntaxes/contest_code.rb

@@ -0,0 +1,58 @@
+module Booth
+  module Syntaxes
+    class ContestCode
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :input
+
+      def call
+        debug { "Checking contest #{input.inspect} for valid syntax..." }
+        check_blank.on_success { check_characters }
+                   .on_success { check_length }
+      end
+
+      private
+
+      def check_blank
+        return Tron.success :contest_code_present if input.present?
+
+        debug { 'This contest is blank.' }
+        Tron.failure :blank_contest_code,
+                     normalized_contest_code: nil,
+                     public_message: I18n.t('booth.blank_contest_code')
+      end
+
+      def check_characters
+        return Tron.success :contest_code_consists_of_digits if input_without_spaces.match?(allowed_regexp)
+
+        debug { 'This contest contains invalid characters' }
+        Tron.failure :invalid_contest_code_format,
+                     normalized_contest_code: nil,
+                     public_message: I18n.t('booth.invalid_contest_code_format')
+      end
+
+      def check_length
+        if input_without_spaces.to_s.length == ::Booth.config.contest_digits
+          return Tron.success :valid_contest_code_syntax,
+                              normalized_contest_code: input_without_spaces
+        end
+
+        debug { "This contest is not #{::Booth.config.contest_digits} characters long." }
+        Tron.failure :wrong_contest_code_length,
+                     normalized_contest_code: nil,
+                     public_message: I18n.t('booth.wrong_contest_code_length', digits: ::Booth.config.contest_digits)
+      end
+
+      # Helpers
+
+      def input_without_spaces
+        input.to_s.delete(' ')
+      end
+
+      def allowed_regexp
+        /\A\d+\z/
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/email.rb

@@ -0,0 +1,97 @@
+module Booth
+  module Syntaxes
+    class Email
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :input
+
+      def call
+        debug { "Checking email #{input.inspect} for valid syntax..." }
+        check_blank.on_success { check_too_short }
+                   .on_success { check_too_long }
+                   .on_success { check_characters }
+                   .on_success { check_ampersand }
+      end
+
+      private
+
+      def check_blank
+        return Tron.success :email_present if input.present?
+
+        debug { 'This email is blank.' }
+        Tron.failure :blank_email,
+                     normalized_email: nil,
+                     normalized_invalid_email: normalized_email,
+                     public_message: I18n.t('booth.blank_email')
+      end
+
+      def check_too_short
+        return Tron.success :email_not_too_short if input.to_s.length >= min_length
+
+        debug { "This email is less than #{min_length} characters long." }
+        Tron.failure :email_is_too_short,
+                     normalized_email: nil,
+                     normalized_invalid_email: normalized_email,
+                     public_message: I18n.t('booth.email_too_short', minimum: min_length)
+      end
+
+      def check_too_long
+        return Tron.success :email_not_too_long if input.to_s.length <= max_length
+
+        debug { "This email is more than #{max_length} characters long." }
+        Tron.failure :email_is_too_long,
+                     normalized_email: nil,
+                     normalized_invalid_email: normalized_email,
+                     public_message: I18n.t('booth.email_too_long', maximum: max_length)
+      end
+
+      def check_characters
+        return Tron.success :all_characters_valid if input.to_s.length == normalized_email.length
+
+        debug { 'This email contains invalid characters' }
+        Tron.failure :invalid_email_format,
+                     normalized_email: nil,
+                     normalized_invalid_email: normalized_email,
+                     public_message: I18n.t('booth.invalid_email_characters')
+      end
+
+      # See https://github.com/heartcombo/devise/blob/8593801130f2df94a50863b5db535c272b00efe1/lib/devise.rb#L112-L116
+      def check_ampersand
+        if input.to_s.match(/\A[^@]+@[^@]+\z/)
+          debug { 'This email has the correct syntax' }
+          return Tron.success :valid_email_syntax,
+                              normalized_email:,
+                              normalized_invalid_email: normalized_email
+        end
+
+        debug { 'This email does not contain an ampersand' }
+        Tron.failure :email_ampersand_invalid,
+                     normalized_email: nil,
+                     normalized_invalid_email: normalized_email,
+                     public_message: I18n.t('booth.invalid_email_format')
+      end
+
+      # Limit size to prevent cookie overflows.
+      def normalized_email
+        input.to_s
+             .downcase
+             .delete("^#{allowed_characters}")
+             .to(max_length - 1)
+             .presence
+      end
+
+      def allowed_characters
+        ::Regexp.escape 'abcdefghijklmnopqrstuvwxyz0123456789@ßöäü_+-,.!?#$%'
+      end
+
+      def min_length
+        3
+      end
+
+      def max_length
+        254
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/ip.rb

@@ -0,0 +1,37 @@
+module Booth
+  module Syntaxes
+    class Ip
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :input
+
+      def call
+        # debug { "Checking IP address #{input.inspect} for valid syntax..." }
+        check_blank.on_success { check_validity }
+      end
+
+      private
+
+      def check_blank
+        return Tron.success :ip_present if input.present?
+
+        # debug { 'This IP is blank.' }
+        Tron.failure :blank_ip, normalized_ip: nil
+      end
+
+      def check_validity
+        return Tron.success :ip_valid, normalized_ip: ip_addr.to_s if ip_addr
+
+        # debug { 'This IP is invalid.' }
+        Tron.failure :invalid_ip, normalized_ip: nil
+      end
+
+      def ip_addr
+        IPAddr.new(input)
+      rescue ArgumentError
+        nil
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/otp.rb

@@ -0,0 +1,57 @@
+module Booth
+  module Syntaxes
+    class Otp
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :input
+
+      def call
+        check_blank.on_success { check_characters }
+                   .on_success { check_length }
+      end
+
+      private
+
+      def check_blank
+        return Tron.success :otp_present if input.present?
+
+        debug { "OTP #{input.inspect} is blank." }
+        Tron.failure :blank_otp,
+                     normalized_otp: nil,
+                     public_message: I18n.t('booth.blank_otp')
+      end
+
+      def check_characters
+        return Tron.success :otp_consists_of_digits if input_without_spaces.match?(allowed_regexp)
+
+        debug { "OTP #{input.inspect} contains invalid characters" }
+        Tron.failure :invalid_otp_format,
+                     normalized_otp: nil,
+                     public_message: I18n.t('booth.invalid_otp_format')
+      end
+
+      def check_length
+        if input_without_spaces.to_s.length == ::Booth.config.otp_digits
+          return Tron.success :valid_otp_syntax,
+                              normalized_otp: input_without_spaces
+        end
+
+        debug { "OTP #{input.inspect} is not #{::Booth.config.otp_digits} characters long." }
+        Tron.failure :wrong_otp_length,
+                     normalized_otp: nil,
+                     public_message: I18n.t('booth.wrong_otp_length', digits: ::Booth.config.otp_digits)
+      end
+
+      # Helpers
+
+      def input_without_spaces
+        input.to_s.delete(' ')
+      end
+
+      def allowed_regexp
+        /\A\d+\z/
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/scope.rb

@@ -0,0 +1,21 @@
+module Booth
+  module Syntaxes
+    class Scope
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :input
+
+      def call
+        return Tron.success(:valid_scope_syntax, normalized_scope: input.to_sym) if regexp.match(input.to_s)
+
+        raise ::Booth::Errors::InvalidScopeSyntax, input
+      end
+
+      # Same convention as a Ruby variable name.
+      def regexp
+        /\A[a-z]{1}[a-z0-9_]+[a-z0-9]{1}\z/
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/scope_comparison.rb

@@ -0,0 +1,28 @@
+module Booth
+  module Syntaxes
+    class ScopeComparison
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :this, as: :raw_this
+      option :that, as: :raw_that
+
+      def call
+        return Tron.success(:identical_scopes) if this == that
+
+        debug { "The requested scope #{this.inspect} does not match what's on record #{that.inspect}" }
+        Tron.failure :mismatching_scopes, this:, that:
+      end
+
+      private
+
+      def this
+        ::Booth::Syntaxes::Scope.call(raw_this).normalized_scope
+      end
+
+      def that
+        ::Booth::Syntaxes::Scope.call(raw_that).normalized_scope
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/secret_key.rb

@@ -0,0 +1,64 @@
+module Booth
+  module Syntaxes
+    class SecretKey
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :input
+
+      def call
+        debug { "Checking secret key #{input.inspect} for valid syntax..." }
+        check_missing.on_success { check_blank }
+                     .on_success { check_length }
+                     .on_success { check_characters }
+      end
+
+      private
+
+      def check_missing
+        return Tron.success :secret_key_non_nil unless input.nil?
+
+        debug { 'This secret key is nil.' }
+        Tron.failure :missing_secret_key,
+                     normalized_secret_key: nil,
+                     public_message: I18n.t('booth.missing_secret_key')
+      end
+
+      def check_blank
+        return Tron.success :secret_key_present if input.present?
+
+        debug { 'This secret key is blank.' }
+        Tron.failure :blank_secret_key,
+                     normalized_secret_key: nil,
+                     public_message: I18n.t('booth.blank_secret_key')
+      end
+
+      def check_length
+        return Tron.success :secret_key_has_correct_length if input.to_s.length == 30
+
+        debug { 'This secret key is not 30 characters long.' }
+        Tron.failure :wrong_secret_key_length,
+                     normalized_secret_key: nil,
+                     public_message: I18n.t('booth.wrong_secret_key_length')
+      end
+
+      def check_characters
+        if input.to_s.match?(allowed_regexp)
+          return Tron.success :valid_secret_key_syntax,
+                              normalized_secret_key: input.to_s
+        end
+
+        debug { 'This secret key contains invalid characters' }
+        Tron.failure :invalid_secret_key_format,
+                     normalized_secret_key: nil,
+                     public_message: I18n.t('booth.invalid_secret_key_format')
+      end
+
+      # Helpers
+
+      def allowed_regexp
+        /\A[1-9a-zA-Z]{30}\z/
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/username.rb

@@ -0,0 +1,85 @@
+module Booth
+  module Syntaxes
+    class Username
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :input
+
+      def call
+        # debug { "Checking username #{input.inspect} for valid syntax..." }
+        check_blank.on_success { check_too_short }
+                   .on_success { check_too_long }
+                   .on_success { check_characters }
+      end
+
+      private
+
+      def check_blank
+        return Tron.success :username_present if input.present?
+
+        debug { 'This username is blank.' }
+        Tron.failure :blank_username,
+                     normalized_username: nil,
+                     normalized_invalid_username: normalized_username,
+                     public_message: I18n.t('booth.blank_username')
+      end
+
+      def check_too_short
+        return Tron.success :username_not_too_short if input.to_s.length >= min_length
+
+        debug { "This username is less than #{min_length} characters long." }
+        Tron.failure :username_is_too_short,
+                     normalized_username: nil,
+                     normalized_invalid_username: normalized_username,
+                     public_message: I18n.t('booth.username_too_short', minimum: min_length)
+      end
+
+      def check_too_long
+        return Tron.success :username_not_too_long if input.to_s.length <= max_length
+
+        debug { "This username is more than #{max_length} characters long." }
+        Tron.failure :username_is_too_long,
+                     normalized_username: nil,
+                     normalized_invalid_username: normalized_username,
+                     public_message: I18n.t('booth.username_too_long', maximum: max_length)
+      end
+
+      def check_characters
+        if input.to_s.length == normalized_username.length
+          debug { 'This username has the correct syntax' }
+          return Tron.success :valid_username_syntax,
+                              normalized_username:,
+                              normalized_invalid_username: normalized_username
+        end
+
+        debug { 'This username contains invalid characters' }
+        Tron.failure :invalid_username_format,
+                     normalized_username: nil,
+                     normalized_invalid_username: normalized_username,
+                     public_message: I18n.t('booth.invalid_username_format')
+      end
+
+      # Limit size to prevent cookie overflows.
+      def normalized_username
+        input.to_s
+             .downcase
+             .delete("^#{allowed_characters}")
+             .to(max_length - 1)
+             .presence
+      end
+
+      def allowed_characters
+        ::Regexp.escape 'abcdefghijklmnopqrstuvwxyz0123456789@ßöäü_+-,.!?#$%'
+      end
+
+      def min_length
+        3
+      end
+
+      def max_length
+        50
+      end
+    end
+  end
+end

data/lib/booth/syntaxes/uuid.rb

@@ -0,0 +1,23 @@
+module Booth
+  module Syntaxes
+    class Uuid
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :input
+      option :raise_if_invalid, default: -> { true }
+
+      def call
+        return Tron.success(:valid_uuid, uuid: input) if regexp.match(input.to_s)
+        raise ArgumentError, "Invalid UUID: #{input.inspect}" if raise_if_invalid
+
+        Tron.failure :invalid_uuid, uuid: nil
+      end
+
+      # For practical reasons we only accept downcased (i.e. normalized) UUIDs.
+      def regexp
+        /\A[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\z/
+      end
+    end
+  end
+end

data/lib/booth/test/helpers.rb

@@ -0,0 +1,63 @@
+require 'active_support/testing/time_helpers'
+
+require_relative 'support/assert_all_partials_were_covered'
+require_relative 'support/assert_logged_in'
+require_relative 'support/assert_logged_out'
+require_relative 'support/assert_partial'
+require_relative 'support/get_session_value'
+require_relative 'support/otp_code_from_session'
+require_relative 'support/soft_reset_session'
+require_relative 'webauthn/disable'
+require_relative 'webauthn/enable'
+require_relative 'webauthn/virtual_authenticators/create'
+require_relative 'webauthn/virtual_authenticators/destroy'
+
+module Booth
+  module Test
+    module Helpers
+      extend ActiveSupport::Concern
+
+      included do
+        include ActiveSupport::Testing::TimeHelpers
+      end
+
+      def assert_logged_out
+        ::Booth::Test::Support::AssertLoggedOut.call(page:, scope:)
+      end
+
+      def assert_logged_in(credential:)
+        ::Booth::Test::Support::AssertLoggedIn.call(page:, scope:, credential:)
+      end
+
+      def assert_userland_partial(controller:, step:)
+        ::Booth::Test::Support::AssertPartial.call(page:, namespace: :userland, controller:, step:)
+      end
+
+      def extract_otp_secret_key_and_generate_code
+        secret_key = page.body.split('?secret=').last.split('&').first
+        raise 'Expected an OTP secret but found none' if secret_key.blank?
+
+        code = ::Booth::Models::Credential.new(otp_secret_key: secret_key).otp_code
+        Booth.config.logger&.debug(to_s) { "Extracted OTP secret #{secret_key} and derived the code #{code}" }
+        code
+      end
+
+      def soft_reset_session
+        ::Booth::Test::Support::SoftResetSession.call(page:)
+      end
+
+      def setup_virtual_authenticator_environment
+        # For some reason, the Chrome Virtual Authenticator Environment often leaks from one test to the next.
+        # All kinds of errors in Webauth only cause one single generic `NotAllowedError` for privacy reasons
+        # So it's impossible to debug the actual cause. I just found out after many hours that disabling first, works.
+        ::Booth::Test::Webauthn::Disable.call devtools: page.driver.browser.devtools
+        ::Booth::Test::Webauthn::Enable.call devtools: page.driver.browser.devtools
+      end
+
+      def create_virtual_authenticator(has_user_verification: true)
+        setup_virtual_authenticator_environment
+        ::Booth::Test::Webauthn::VirtualAuthenticators::Create.call(page:, has_user_verification:)
+      end
+    end
+  end
+end

data/lib/booth/test/support/assert_all_partials_were_covered.rb

@@ -0,0 +1,63 @@
+module Booth
+  module Test
+    module Support
+      class AssertAllPartialsWereCovered
+        include ::Booth::MethodObject
+
+        def call
+          return if missing_partials.empty?
+
+          raise "Expected these partials to be covered: #{missing_partials}"
+        end
+
+        private
+
+        def missing_partials
+          (expected_partials - covered_partials)
+        end
+
+        def expected_partials # rubocop:disable Metrics/MethodLength
+          %w[
+            userland/login/enter_otp
+            userland/login/enter_password
+            userland/login/enter_username
+            userland/login/enter_webauth
+            userland/login/needs_onboarding
+            userland/login/no_authenticators
+            userland/login/remote_session_available
+            userland/onboarding/already_logged_in
+            userland/onboarding/choose_password
+            userland/onboarding/choose_webauth_nickname
+            userland/onboarding/completed
+            userland/onboarding/confirm_otp
+            userland/onboarding/confirm_password
+            userland/onboarding/confirm_webauth
+            userland/onboarding/register_otp
+            userland/onboarding/register_webauth
+            userland/onboarding/timed_out
+            userland/otp/add
+            userland/otp/confirm
+            userland/otp/register
+            userland/otp/show
+            userland/otp/successfully_changed
+            userland/otp/sudo
+            userland/password_reset/check_your_mail
+            userland/password_reset/choose_password
+            userland/password_reset/completed
+            userland/password_reset/confirm_password
+            userland/password_reset/logout_first
+            userland/password_reset/new
+            userland/password_reset/revoked
+            userland/password_reset/throttled
+            userland/password_reset/timed_out
+            userland/password_reset/wrong_user_logged_in
+          ]
+        end
+
+        def covered_partials
+          Booth::Test::Support::AssertPartial.asserted_partials.to_a
+        end
+      end
+    end
+  end
+end

data/lib/booth/test/support/assert_logged_in.rb

@@ -0,0 +1,49 @@
+module Booth
+  module Test
+    module Support
+      class AssertLoggedIn
+        class AssertionFailedError < StandardError; end
+
+        include ::Booth::MethodObject
+        include ::Booth::Logging
+
+        option :page
+        option :scope
+        option :credential
+
+        def call
+          tries ||= 0
+          ::Capybara::Lockstep.synchronize
+
+          active_sessions.each do |session|
+            browser_session_id = ::Booth::Test::Support::GetSessionValue.call(page:, key:)
+            return true if browser_session_id == session.id.to_s
+          end
+
+          raise AssertionFailedError, "Expected Credential `#{credential.id}` to be logged in with a session of: #{active_sessions.map(&:id)}"
+
+        # With the Webauth pingpong it sometimes takes a little longer.
+        # And Capybara Lockstep doesn't seem to be able to detect that.
+        rescue AssertionFailedError
+          if (tries += 1) < 3
+            debug { 'Trying again...' }
+            sleep 1
+            retry
+          end
+
+          raise
+        end
+
+        private
+
+        def active_sessions
+          credential.sessions.active_scope.sorted_scope
+        end
+
+        def key
+          "warden.user.#{scope}.key"
+        end
+      end
+    end
+  end
+end

data/lib/booth/test/support/assert_logged_out.rb

@@ -0,0 +1,30 @@
+module Booth
+  module Test
+    module Support
+      class AssertLoggedOut
+        include ::Booth::MethodObject
+
+        option :page
+        option :scope
+
+        def call
+          ::Capybara::Lockstep.synchronize
+
+          return unless logged_in?
+
+          raise 'Expected nobody to logged in, but somebody is logged in.'
+        end
+
+        private
+
+        def logged_in?
+          ::Booth::Test::Support::GetSessionValue.call(page:, key:)
+        end
+
+        def key
+          "warden.user.#{scope}.key"
+        end
+      end
+    end
+  end
+end