booth 0.0.1

data/lib/booth/test/userland/onboardings/timeout.rb

@@ -0,0 +1,47 @@
+module Booth
+  module Test
+    module Userland
+      module Onboardings
+        class Timeout
+          include ::Booth::MethodObject
+          include ::Booth::Test::Helpers
+          include ActiveSupport::Testing::TimeHelpers
+
+          option :page
+          option :scope
+          option :show_onboarding_path
+
+          def call
+            # Setup
+            freeze_time
+
+            credential = ::Booth::Models::Credential.create!(
+              username: 'alice',
+              password: 'qwrasfyxv',
+              scope:,
+              mode: :username_and_password,
+              allowed_modes: %i[username_and_password username_and_webauth]
+            )
+
+            onboarding = ::Booth::Models::Onboarding.create!(
+              credential_id: credential.id,
+              mode: :first_time
+            )
+
+            # Onboarding
+
+            travel 7.days - 1.minute
+
+            page.visit show_onboarding_path.sub('ID', onboarding.secret_key)
+            assert_userland_partial controller: :onboarding, step: :choose_mode
+
+            travel 2.minutes
+
+            page.visit show_onboarding_path.sub('ID', onboarding.secret_key)
+            assert_userland_partial controller: :onboarding, step: :timed_out
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/test/userland/otps/manage.rb

@@ -0,0 +1,86 @@
+module Booth
+  module Test
+    module Userland
+      module Otps
+        class Manage
+          include ::Booth::MethodObject
+          include ::Booth::Test::Helpers
+
+          option :page
+          option :scope
+          option :new_login_path
+          option :show_otp_path
+          option :after_credential, default: -> {}
+
+          def call
+            # Setup
+
+            credential = ::Booth::Models::Credential.create!(
+              username: 'alice',
+              password: 'qwrasfyxv',
+              scope:,
+              mode: :username_and_password,
+              allowed_modes: %i[username_and_password username_password_and_otp]
+            )
+            after_credential&.call(credential.id)
+
+            # Login
+
+            page.visit new_login_path
+
+            assert_userland_partial controller: :login, step: :enter_username
+            page.fill_in :username, with: 'alice'
+            page.click_on :submit
+
+            assert_userland_partial controller: :login, step: :enter_password
+            page.fill_in :password, with: 'qwrasfyxv'
+            page.click_on :submit
+
+            # Add OTP
+
+            assert_logged_in credential: credential
+            page.visit show_otp_path
+
+            assert_userland_partial controller: :otp, step: :add
+            page.click_on :add
+
+            assert_userland_partial controller: :otp, step: :register
+            page.assert_selector '[data-booth=otpqr]'
+            page.assert_text 'otpauth://totp/'
+            page.click_on :registered
+
+            # Back one step
+
+            assert_userland_partial controller: :otp, step: :confirm
+            page.click_on :change
+
+            # Continue adding OTP
+
+            assert_userland_partial controller: :otp, step: :register
+            code = extract_otp_secret_key_and_generate_code
+            page.click_on :registered
+
+            assert_userland_partial controller: :otp, step: :confirm
+            page.fill_in :code, with: code
+            page.click_on :submit
+
+            assert_userland_partial controller: :otp, step: :successfully_changed
+
+            page.visit show_otp_path
+            assert_userland_partial controller: :otp, step: :show
+            page.assert_selector '[data-booth=otpqr]'
+            page.assert_text 'otpauth://totp/'
+
+            travel 19.minutes
+            page.visit show_otp_path
+            assert_userland_partial controller: :otp, step: :show
+
+            travel 2.minutes
+            page.visit show_otp_path
+            assert_userland_partial controller: :otp, step: :sudo
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/test/userland/password_resets/reset.rb

@@ -0,0 +1,102 @@
+module Booth
+  module Test
+    module Userland
+      module PasswordResets
+        class Reset
+          include ::Booth::MethodObject
+          include ::Booth::Test::Helpers
+
+          option :page
+          option :scope
+          option :new_login_path
+          option :new_password_reset_path
+          option :show_password_reset_path
+
+          def call
+            # Setup
+            alice = ::Booth::Models::Credential.create!(
+              username: 'alice',
+              password: 'qwrasfyxv',
+              scope:,
+              mode: :username_and_password,
+              allowed_modes: %i[username_and_password]
+            )
+
+            bobby = ::Booth::Models::Credential.create!(
+              username: 'bobby',
+              password: 'qwrasfyxv',
+              scope:,
+              mode: :username_and_password,
+              allowed_modes: %i[username_and_password]
+            )
+
+            bobbys_password_reset = ::Booth::Models::PasswordReset.create!(
+              credential: bobby,
+              creator_ip: '198.51.100.50'
+            )
+
+            bobbys_other_password_reset = ::Booth::Models::PasswordReset.create!(
+              credential: bobby,
+              creator_ip: '198.51.100.51'
+            )
+
+            # Request Password Reset
+            page.visit new_login_path
+            assert_userland_partial controller: :login, step: :enter_username
+            page.fill_in :username, with: 'alice'
+            page.click_on :submit
+            assert_userland_partial controller: :login, step: :enter_password
+            page.click_on :forgot
+            assert_userland_partial controller: :password_reset, step: :new
+            page.fill_in :email, with: 'alice@example.com'
+            page.click_on :submit
+            assert_userland_partial controller: :password_reset, step: :check_your_mail
+
+            # Forgot Login password
+            page.visit new_login_path
+            assert_userland_partial controller: :login, step: :enter_password
+            page.fill_in :password, with: 'qwrasfyxv'
+            page.click_on :submit
+            assert_logged_in credential: alice
+            page.visit new_password_reset_path
+            assert_userland_partial controller: :password_reset, step: :logout_first
+
+            # Reset password as wrong user
+            page.visit show_password_reset_path.sub('ID', bobbys_password_reset.secret_key)
+            assert_userland_partial controller: :password_reset, step: :wrong_user_logged_in
+            page.click_on :logout
+            assert_logged_out
+
+            # Timed out
+            travel 2.hours + 1.second
+            page.visit show_password_reset_path.sub('ID', bobbys_password_reset.secret_key)
+            assert_userland_partial controller: :password_reset, step: :timed_out
+            travel_back
+
+            # Reset password
+            page.visit show_password_reset_path.sub('ID', bobbys_password_reset.secret_key)
+            assert_userland_partial controller: :password_reset, step: :choose_password
+            page.fill_in :password, with: 'wetsdgxcb'
+            page.click_on :submit
+            page.click_on :change
+            assert_userland_partial controller: :password_reset, step: :choose_password
+            page.fill_in :password, with: 'rtufgjvbm'
+            page.click_on :submit
+            assert_userland_partial controller: :password_reset, step: :confirm_password
+            page.fill_in :password, with: 'rtufgjvbm'
+            page.click_on :submit
+            assert_userland_partial controller: :password_reset, step: :completed
+
+            # Refresh page
+            page.visit show_password_reset_path.sub('ID', bobbys_password_reset.secret_key)
+            assert_userland_partial controller: :password_reset, step: :completed
+
+            # Try a revoked token
+            page.visit show_password_reset_path.sub('ID', bobbys_other_password_reset.secret_key)
+            assert_userland_partial controller: :password_reset, step: :revoked
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/test/userland.rb

@@ -0,0 +1,38 @@
+module Booth
+  module Test
+    module Userland
+      class Scenario
+        attr_accessor :page, :scope, :new_login_path, :show_onboarding_path, :show_otp_path, :new_password_reset_path,
+                      :show_password_reset_path, :after_credential
+
+        def initialize(klass)
+          @klass = klass
+        end
+
+        def name
+          @klass.to_s.underscore.parameterize(separator: '_')
+        end
+
+        def call
+          arguments = @klass.dry_initializer.public_attributes(self)
+          @klass.call(**arguments)
+        end
+      end
+
+      def self.scenarios(skip_password_resets: false) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        yield Scenario.new(Booth::Test::Userland::Logins::MissingAuthenticators)
+        yield Scenario.new(Booth::Test::Userland::Logins::MissingOnboarding)
+        yield Scenario.new(Booth::Test::Userland::Logins::UsernameAndPassword)
+        yield Scenario.new(Booth::Test::Userland::Logins::UsernameAndWebauth)
+        yield Scenario.new(Booth::Test::Userland::Logins::UsernamePasswordAndOtp)
+        yield Scenario.new(Booth::Test::Userland::Logins::UsernamePasswordAndWebauth)
+        yield Scenario.new(Booth::Test::Userland::Onboardings::AlreadyLoggedIn)
+        yield Scenario.new(Booth::Test::Userland::Onboardings::Otp)
+        yield Scenario.new(Booth::Test::Userland::Onboardings::Password)
+        yield Scenario.new(Booth::Test::Userland::Onboardings::Timeout)
+        yield Scenario.new(Booth::Test::Userland::Otps::Manage)
+        yield Scenario.new(Booth::Test::Userland::PasswordResets::Reset) unless skip_password_resets
+      end
+    end
+  end
+end

data/lib/booth/test/webauthn/disable.rb

@@ -0,0 +1,17 @@
+module Booth
+  module Test
+    module Webauthn
+      class Disable
+        include ::Booth::Logging
+        include ::Booth::MethodObject
+
+        option :devtools
+
+        def call
+          debug { 'Disabling Chrome Virtual Authenticator Environment...' }
+          devtools.send_cmd 'WebAuthn.disable'
+        end
+      end
+    end
+  end
+end

data/lib/booth/test/webauthn/enable.rb

@@ -0,0 +1,19 @@
+module Booth
+  module Test
+    module Webauthn
+      class Enable
+        include ::Booth::Logging
+        include ::Booth::MethodObject
+
+        option :devtools
+
+        def call
+          WebAuthn.configuration.origin = Capybara.current_session.server.base_url
+
+          debug { 'Ensuring enabled Chrome Virtual Authenticator Environment...' }
+          devtools.send_cmd 'WebAuthn.enable'
+        end
+      end
+    end
+  end
+end

data/lib/booth/test/webauthn/virtual_authenticators/create.rb

@@ -0,0 +1,38 @@
+module Booth
+  module Test
+    module Webauthn
+      module VirtualAuthenticators
+        class Create
+          include ::Booth::Logging
+          include ::Booth::MethodObject
+
+          option :page
+          option :has_user_verification
+
+          def call
+            options = ::Selenium::WebDriver::VirtualAuthenticatorOptions.new
+            options.user_verification = has_user_verification
+            options.user_verified = true
+
+            debug { "Registering Virtual Authenticator... #{options.as_json}" }
+            page.driver.browser.add_virtual_authenticator(options)
+
+            # debug { "Created #{authenticator.id}" }
+          end
+
+          # See https://chromedevtools.github.io/devtools-protocol/tot/WebAuthn/#type-VirtualAuthenticatorOptions
+          # def options
+          #   {
+          #     protocol: :ctap2,
+          #     transport: :internal,
+          #     hasResidentKey: false, # Chrome should not have to reveal a list of existing virtual authenticator IDs.
+          #     # isUserConsenting: true, # Not sure, this option exists in selenium but not in chrome?
+          #     hasUserVerification: has_user_verification,
+          #     isUserVerified: true,
+          #   }
+          # end
+        end
+      end
+    end
+  end
+end

data/lib/booth/test/webauthn/virtual_authenticators/destroy.rb

@@ -0,0 +1,20 @@
+module Booth
+  module Test
+    module Webauthn
+      module VirtualAuthenticators
+        class Destroy
+          include ::Booth::Logging
+          include ::Booth::MethodObject
+
+          option :devtools
+          option :id
+
+          def call
+            debug { "Removing Virtual Authenticator with ID #{id}" }
+            devtools.send_cmd 'WebAuthn.removeVirtualAuthenticator', authenticatorId: id
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/test.rb

@@ -0,0 +1,53 @@
+# Just in case
+raise 'Requiring `booth/test` is only intended for testing your code' unless Rails.env.test?
+
+def try_to_load_gem(gem_name, require_name = nil)
+  require_name = gem_name if require_name.nil?
+  require require_name
+rescue LoadError => e
+  raise "Please add the `#{gem_name}` gem to your test group (NOT development or production) - #{e.message}"
+end
+
+# Gems
+try_to_load_gem 'capybara-lockstep'
+try_to_load_gem 'rack_session_access'
+try_to_load_gem 'selenium-devtools', 'selenium/devtools'
+try_to_load_gem 'selenium-webdriver'
+require 'rack_session_access/capybara'
+
+# Internal Helpers
+require_relative 'test/helpers'
+require_relative 'test/support/force_login'
+
+# Tests
+require_relative 'test/userland/logins/missing_authenticators'
+require_relative 'test/userland/logins/missing_onboarding'
+require_relative 'test/userland/logins/username_and_password'
+require_relative 'test/userland/logins/username_and_webauth'
+require_relative 'test/userland/logins/username_password_and_otp'
+require_relative 'test/userland/logins/username_password_and_webauth'
+require_relative 'test/userland/onboardings/already_logged_in'
+require_relative 'test/userland/onboardings/otp'
+require_relative 'test/userland/onboardings/password'
+require_relative 'test/userland/onboardings/timeout'
+require_relative 'test/userland/otps/manage'
+require_relative 'test/userland/password_resets/reset'
+
+# Public API
+require_relative 'test/userland'
+
+module Booth
+  module Test
+    def self.middleware
+      ::RackSessionAccess::Middleware
+    end
+
+    def self.force_login(...)
+      ::Booth::Test::Support::ForceLogin.call(...)
+    end
+  end
+end
+
+Capybara.configure do |config|
+  config.test_id = 'data-booth' # How Booth interacts with your HTML elements.
+end

data/lib/booth/to_struct.rb

@@ -0,0 +1,11 @@
+module Booth
+  class ToStruct
+    include ::Booth::MethodObject
+
+    param :attributes
+
+    def call
+      ::Struct.new(*attributes.keys, keyword_init: true).new(**attributes)
+    end
+  end
+end

data/lib/booth/userland/extract_flash_messages.rb

@@ -0,0 +1,35 @@
+module Booth
+  module Userland
+    class ExtractFlashMessages
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :from
+      option :to
+
+      def call
+        check_arguments!
+        return unless from.respond_to?(:public_message)
+        return if from.public_message.blank?
+
+        if from.success?
+          debug { "Saving flash notice: #{from.public_message}" }
+          to[:notice] = from.public_message
+        else
+          debug { "Saving flash alert: #{from.public_message}" }
+          to[:alert] = from.public_message
+        end
+
+        nil
+      end
+
+      def check_arguments!
+        raise(ArgumentError, 'You can only extract flash messages from something that is not nil') if from.nil?
+
+        return if to.respond_to?(:notice=)
+
+        raise ArgumentError, "Please pass in `to: flash` for public flash messages not #{to.inspect}"
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/create.rb

@@ -0,0 +1,28 @@
+module Booth
+  module Userland
+    module Logins
+      class Create
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_post!
+
+          do_transition
+        end
+
+        private
+
+        def transitions
+          [
+            ::Booth::Logins::Transitions::Create::ChooseUsername,
+            ::Booth::Logins::Transitions::Create::EnterOtp,
+            ::Booth::Logins::Transitions::Create::SkipRemotes,
+            ::Booth::Logins::Transitions::Create::VerifyPassword,
+            ::Booth::Logins::Transitions::Create::WebauthAuthenticationInitiation,
+            ::Booth::Logins::Transitions::Create::WebauthAuthenticationVerification,
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/destroy.rb

@@ -0,0 +1,37 @@
+module Booth
+  module Userland
+    module Logins
+      class Destroy
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_delete!
+          request.must_be_html!
+
+          if request.authentication.logged_in?
+            public_message = I18n.t('booth.successfully_logged_out')
+            ::Booth::Audits::Register::Logout.call credential:,
+                                                   ip: request.ip,
+                                                   agent: request.agent
+          end
+
+          reset!
+
+          Tron.success :logged_out, return_path: request.return_path,
+                                    public_message:
+        end
+
+        private
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+
+        def reset!
+          request.storage.login.reset
+          request.authentication.logout
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/new.rb

@@ -0,0 +1,70 @@
+module Booth
+  module Userland
+    module Logins
+      class New
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+
+          if already_logged_in?
+            # Bail out early if it would conflict with another session.
+            # Because this could lead to strong confusion for the end-user.
+            ::Booth::Userland::Logins::Transitions::New::AlreadyLoggedIn.call(request:)
+
+          elsif storage.timed_out?
+            # The browser cookie just destroyed itself.
+            ::Booth::Userland::Logins::Transitions::New::TimedOut.call(request:)
+
+          elsif storage.credential_for_username.blank?
+            # First of all, we need a username.
+            # Without it we wouldn't know which credential to look for.
+            ::Booth::Userland::Logins::Transitions::New::NoUsernameChosen.call(request:)
+
+          elsif storage.credential_for_username.mode_first_time?
+            # If that username is not initialized, bail out again.
+            # This should be an informative site with remedy information.
+            ::Booth::Userland::Logins::Transitions::New::ModeFirstTime.call(request:)
+
+          elsif remote_session_available?
+            # If the user is logged in on another device,
+            # suggest that that device is used as a remote to login here.
+            ::Booth::Userland::Logins::Transitions::New::RemoteSessionAvailable.call(request:)
+
+          elsif storage.credential_for_username.mode_username_and_password?
+            ::Booth::Userland::Logins::Transitions::New::ModeUsernameAndPassword.call(request:)
+
+          elsif storage.credential_for_username.mode_username_password_and_otp?
+            ::Booth::Userland::Logins::Transitions::New::ModeUsernamePasswordAndOtp.call(request:)
+
+          elsif storage.credential_for_username.mode_username_password_and_webauth?
+            ::Booth::Userland::Logins::Transitions::New::ModeUsernamePasswordAndWebauth.call(request:)
+
+          elsif storage.credential_for_username.mode_username_and_webauth?
+            ::Booth::Userland::Logins::Transitions::New::ModeUsernameAndWebauth.call(request:)
+
+          else
+            raise 'Invalid Login State'
+          end
+        end
+
+        private
+
+        def already_logged_in?
+          request.authentication.logged_in?
+        end
+
+        def remote_session_available?
+          return false if storage.skip_remotes?
+
+          storage.credential_for_username.remote_session_available?
+        end
+
+        def storage
+          request.storage.login
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/create/choose_username.rb

@@ -0,0 +1,41 @@
+module Booth
+  module Logins
+    module Transitions
+      module Create
+        class ChooseUsername
+          include ::Booth::Concerns::Transition
+
+          def self.applicable?(params:)
+            params.dig :login, :username
+          end
+
+          def call
+            finding = ::Booth::Credentials::FindByUsername.call(username: username_param)
+
+            finding.on_success do
+              # Each time a username was entered, we destroy and recreate the Contest for this Credential.
+              contest = ::Booth::Contests::SetForLogin.call(request:, credential_id: finding.credential.id).contest
+              storage.contest_for_username = contest
+              storage.credential_for_username = finding.credential
+            end
+
+            # Whether the username is valid or not, we persist it in the cookie,
+            # so that it can be shown again in the username text input.
+            storage.username = finding.normalized_invalid_username
+            finding
+          end
+
+          private
+
+          def username_param
+            params.require(:login).permit(:username)[:username]
+          end
+
+          def storage
+            request.storage.login
+          end
+        end
+      end
+    end
+  end
+end