booth 0.0.1

data/lib/booth/userland/logins/transitions/create/enter_otp.rb

@@ -0,0 +1,70 @@
+module Booth
+  module Logins
+    module Transitions
+      module Create
+        class EnterOtp
+          include ::Booth::Concerns::Transition
+
+          def self.applicable?(params:)
+            params.dig :login, :otp
+          end
+
+          def call
+            do_check_stale_session
+              .on_success { do_find_credential }
+              .on_success { do_check_otp }
+          end
+
+          private
+
+          # Helpers
+
+          delegate :sudo, to: :request
+
+          def do_check_stale_session
+            return Tron.success :session_not_stale unless storage.timed_out?
+
+            public_message = I18n.t('booth.login_timeout', lifespan_minutes: (storage.lifespan / 60))
+            Tron.failure :stale_session, step: :enter_username,
+                                         public_message:
+          end
+
+          def do_find_credential
+            @credential = storage.password_authenticated_credential
+            return Tron.success :found_credential if @credential
+
+            Tron.failure :missing_credential
+          end
+
+          def do_check_credential_mode
+            return Tron.success :credential_is_otp if @credential.mode_username_password_and_otp?
+
+            Tron.failure :credential_is_not_otp
+          end
+
+          def do_check_otp
+            checking = ::Booth::Credentials::OtpAuthentication.call(
+              credential: @credential,
+              code: code_param,
+              ip: request.ip,
+              agent: request.agent
+            )
+            return checking if checking.failure
+
+            storage.reset
+            ::Booth::Sessions::CreateAndLogin.call(credential: @credential, request:)
+            Tron.success :login_completed
+          end
+
+          def code_param
+            params.require(:login).permit(:otp)[:otp]
+          end
+
+          def storage
+            request.storage.login
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/create/skip_remotes.rb

@@ -0,0 +1,24 @@
+module Booth
+  module Logins
+    module Transitions
+      module Create
+        class SkipRemotes
+          include ::Booth::Concerns::Transition
+
+          def self.applicable?(params:)
+            params[:skip_remotes].present?
+          end
+
+          def call
+            storage.skip_remotes
+            Tron.success :skipping_remotes
+          end
+
+          def storage
+            request.storage.login
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/create/verify_password.rb

@@ -0,0 +1,70 @@
+module Booth
+  module Logins
+    module Transitions
+      module Create
+        class VerifyPassword
+          include ::Booth::Concerns::Transition
+
+          def self.applicable?(params:)
+            params.dig :login, :password
+          end
+
+          def call
+            do_check_stale_session
+              .on_success { do_find_credential }
+              .on_success { do_check_password }
+          end
+
+          # Helpers
+
+          def do_check_stale_session
+            return Tron.success :session_not_stale unless storage.timed_out?
+
+            public_message = I18n.t('booth.login_timeout', lifespan_minutes: (storage.lifespan / 60))
+            Tron.failure :stale_session, step: :enter_username,
+                                         public_message:
+          end
+
+          def do_find_credential
+            @credential = storage.credential_for_username
+            return Tron.success :found_credential if @credential
+
+            Tron.failure :missing_credential
+          end
+
+          def do_check_password
+            checking = ::Booth::Credentials::PasswordAuthentication.call(
+              credential: @credential,
+              password: password_param,
+              ip: request.ip,
+              agent: request.agent
+            )
+            return checking if checking.failure
+
+            sudo.password!
+
+            # TODO: Re-check with haveibeenpwned and flag `flagged_pwned_at` password as insecure.
+
+            if @credential.mode_username_and_password?
+              ::Booth::Sessions::CreateAndLogin.call(credential: @credential, request:)
+              return Tron.success :login_completed, return_path: request.return_path
+            end
+
+            storage.password_authenticated_credential = @credential
+            Tron.success :correct_password
+          end
+
+          def password_param
+            params.require(:login).permit(:password)[:password]
+          end
+
+          def storage
+            request.storage.login
+          end
+
+          delegate :sudo, to: :request
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/create/webauth_authentication_initiation.rb

@@ -0,0 +1,55 @@
+module Booth
+  module Logins
+    module Transitions
+      module Create
+        class WebauthAuthenticationInitiation
+          include ::Booth::Concerns::Transition
+
+          def self.applicable?(params:)
+            params[:webauth] && !params[:type]
+          end
+
+          def call
+            do_check_stale_session
+              .on_success { do_find_credential }
+              .on_success { do_check_webauth }
+          end
+
+          # Helpers
+
+          def do_check_stale_session
+            return Tron.success :session_not_stale unless storage.timed_out?
+
+            public_message = I18n.t('booth.login_timeout', lifespan_minutes: (storage.lifespan / 60))
+            Tron.failure :stale_session, step: :enter_username,
+                                         public_message:
+          end
+
+          def do_find_credential
+            @credential = storage.credential_for_username
+            return Tron.success :found_credential if @credential
+
+            debug { 'I do not know the credential for this username' }
+            Tron.failure :missing_credential
+          end
+
+          def do_check_webauth
+            debug { 'Preparing webauth challenge...' }
+            challenging = Booth::Credentials::WebauthChallenge.call(credential: @credential)
+            result = Tron.success :webauth_for_you, public_json: challenging.options_for_get, http_status: :ok
+            debug { "The challenge is #{challenging.challenge}" }
+            storage.webauthn_challenge = challenging.challenge
+            debug { "Responding with JSON: #{result.public_json}" }
+            result
+          end
+
+          def storage
+            request.storage.login
+          end
+
+          delegate :authentication, to: :request
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/create/webauth_authentication_verification.rb

@@ -0,0 +1,80 @@
+module Booth
+  module Logins
+    module Transitions
+      module Create
+        class WebauthAuthenticationVerification
+          include ::Booth::Concerns::Transition
+
+          def self.applicable?(params:)
+            params[:webauth] && params[:type]
+          end
+
+          def call
+            do_check_stale_session
+              .on_success { do_find_credential }
+              .on_success { do_find_challenge }
+              .on_success { do_check_webauth }
+          end
+
+          private
+
+          delegate :sudo, to: :request
+
+          # Helpers
+
+          def do_check_stale_session
+            return Tron.success :session_not_stale unless storage.timed_out?
+
+            public_message = I18n.t('booth.login_timeout', lifespan_minutes: (storage.lifespan / 60))
+            debug { public_message }
+            Tron.failure :stale_session, step: :enter_username,
+                                         public_message:
+          end
+
+          def do_find_credential
+            @credential = storage.password_authenticated_credential
+            return Tron.success :found_credential if @credential
+
+            @credential = storage.credential_for_username
+            return Tron.success :found_credential if @credential
+
+            debug { 'I do not know the credential for this username' }
+            Tron.failure :missing_credential
+          end
+
+          def do_find_challenge
+            return Tron.success :challenge_ongoing if storage.webauthn_challenge.present?
+
+            debug { 'There is no corresponding challenge in the session' }
+            Tron.failure :no_session_challenge, public_json: {}, http_status: :unprocessable_entity
+          end
+
+          def do_check_webauth
+            verification = ::Booth::Webauth::AuthenticationVerification.call(
+              request:,
+              credential_id: @credential.id,
+              challenge: storage.webauthn_challenge
+            )
+            return verification if verification.failure?
+
+            # sudo.webauth! # Why was this up here as well? I forgot.
+            if @credential.mode_username_and_webauth?
+              ::Booth::Sessions::CreateAndLogin.call(credential: verification.credential, request:)
+            elsif @credential.mode_username_password_and_webauth? && @credential == storage.password_authenticated_credential
+              ::Booth::Sessions::CreateAndLogin.call(credential: verification.credential, request:)
+            end
+
+            sudo.webauth! # This also re-sudos after reset caused by potential login above.
+
+            Tron.success :login_completed, public_json: {},
+                                           http_status: :created
+          end
+
+          def storage
+            request.storage.login
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/already_logged_in.rb

@@ -0,0 +1,21 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          class AlreadyLoggedIn
+            include ::Booth::Concerns::Transition
+            include ::Booth::Userland::Logins::Transitions::New::Fallible
+
+            def call
+              debug { "Good, it looks like you've managed to login" }
+              debug { "Sending you to #{request.return_path.inspect}" } if request.return_path
+
+              Tron.success :cannot_login_because_already_logged_in, return_path: request.return_path
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/fallible.rb

@@ -0,0 +1,27 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          module Fallible
+            extend ActiveSupport::Concern
+
+            private
+
+            def fail_with(code, attributes)
+              attributes.merge! username: storage.username,
+                                login_lifespan: storage.lifespan,
+                                seconds_until_auto_reset: storage.seconds_until_auto_reset
+
+              Tron.failure code, attributes
+            end
+
+            def storage
+              request.storage.login
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/mode_first_time.rb

@@ -0,0 +1,20 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          class ModeFirstTime
+            include ::Booth::Concerns::Transition
+            include ::Booth::Userland::Logins::Transitions::New::Fallible
+
+            def call
+              debug { 'This credential has not gone through onboarding yet.' }
+              # storage.login.reset_credential_for_username
+              fail_with :need_webauth, step: :needs_onboarding
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/mode_username_and_password.rb

@@ -0,0 +1,20 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          class ModeUsernameAndPassword
+            include ::Booth::Concerns::Transition
+            include ::Booth::Userland::Logins::Transitions::New::Fallible
+
+            def call
+              debug { 'I have your username and I only need your password' }
+
+              fail_with :need_password, step: :enter_password
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/mode_username_and_webauth.rb

@@ -0,0 +1,26 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          class ModeUsernameAndWebauth
+            include ::Booth::Concerns::Transition
+            include ::Booth::Userland::Logins::Transitions::New::Fallible
+
+            def call
+              debug { 'I have your username and I only need your Webauth' }
+
+              if storage.credential_for_username.registered_authenticator_ids.any?
+                debug { 'I know that the user has an authenticator that is to be challenged' }
+                return fail_with(:need_webauth, step: :enter_webauth)
+              end
+
+              debug { "Apparently we don't know any authenticators of this user" }
+              fail_with :no_authenticators, step: :no_authenticators
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/mode_username_password_and_otp.rb

@@ -0,0 +1,24 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          class ModeUsernamePasswordAndOtp
+            include ::Booth::Concerns::Transition
+            include ::Booth::Userland::Logins::Transitions::New::Fallible
+
+            def call
+              if storage.password_authenticated_credential
+                debug { 'I have your username and your password, now I need your OTP' }
+                fail_with :need_otp, step: :enter_otp
+              else
+                debug { 'I have your username but not your password, let alone your OTP' }
+                fail_with :need_password_and_otp, step: :enter_password
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/mode_username_password_and_webauth.rb

@@ -0,0 +1,24 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          class ModeUsernamePasswordAndWebauth
+            include ::Booth::Concerns::Transition
+            include ::Booth::Userland::Logins::Transitions::New::Fallible
+
+            def call
+              if storage.password_authenticated_credential
+                debug { 'I have your username and your password, now I need your Webauth' }
+                fail_with :need_webauth, step: :enter_webauth
+              else
+                debug { 'I have your username but not your password, let alone your Webauth' }
+                fail_with :need_password_and_webauth, step: :enter_password
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/no_username_chosen.rb

@@ -0,0 +1,19 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          class NoUsernameChosen
+            include ::Booth::Concerns::Transition
+            include ::Booth::Userland::Logins::Transitions::New::Fallible
+
+            def call
+              debug { "I don't know of any valid username" }
+              fail_with :no_username_chosen, step: :enter_username
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/remote_session_available.rb

@@ -0,0 +1,52 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          class RemoteSessionAvailable
+            include ::Booth::Concerns::Transition
+            include ::Booth::Userland::Logins::Transitions::New::Fallible
+
+            def call
+              # Prerequisites that were arranged by previous transitions.
+              raise(::Booth::Errors::Internal, 'Expected a Credential in the cookie.') unless credential
+
+              do_respond
+            end
+
+            private
+
+            def do_respond
+              if contest&.recently_responded?
+                debug { 'Your Contest was solved on the other device. Logging you in...' }
+                # Yes, it's unusual for a GET request to log you in.
+                # We are polling this page and when the Contest was solved remotely, we log this user in.
+                ::Booth::Sessions::CreateAndLogin.call(credential:, request:)
+
+              elsif contest&.recently_created?
+                debug { 'If you like, you can try a remote device to log you in here.' }
+                # Having entered a username earlier, we can be sure to find a corresponding Contest.
+                expected_code = contest.formatted_code
+
+                fail_with :contest_available,
+                          step: :remote_session_available,
+                          expected_code:
+              else
+                fail_with :invalid_contest,
+                          step: :remote_session_expired
+              end
+            end
+
+            def credential
+              request.storage.login.credential_for_username
+            end
+
+            def contest
+              request.storage.login.contest_for_username
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/logins/transitions/new/timed_out.rb

@@ -0,0 +1,25 @@
+module Booth
+  module Userland
+    module Logins
+      module Transitions
+        module New
+          class TimedOut
+            include ::Booth::Concerns::Transition
+            include ::Booth::Userland::Logins::Transitions::New::Fallible
+
+            def call
+              debug { 'Stale session detected, you need to start all over again.' }
+
+              fail_with :no_username_chosen, step: :enter_username,
+                                             public_message:
+            end
+
+            def public_message
+              I18n.t 'booth.login_timeout', lifespan_minutes: (storage.lifespan / 60)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/show.rb

@@ -0,0 +1,74 @@
+module Booth
+  module Userland
+    module Onboardings
+      class Show
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+
+          do_find_onboarding
+            .on_success { do_check_logged_out }
+            .on_success { do_access_onboarding }
+        end
+
+        def do_find_onboarding
+          finding = ::Booth::Onboardings::Find.call(secret_key:)
+          finding.on_failure do
+            return Tron.failure finding.failure, step: :not_found, public_message: finding.public_message
+          end
+
+          @onboarding = finding.onboarding
+          finding
+        end
+
+        def do_check_logged_out
+          unless request.authentication.logged_in?
+            debug { "Good, nobody happens to be already logged in in scope #{@onboarding.scope}" }
+            return Tron.success :not_logged_in
+          end
+
+          if request.authentication.logged_in_as?(credential: @onboarding.credential)
+            debug { "#{@onboarding.credential.username} is already logged in in scope #{@onboarding.scope}" }
+            return Tron.success :logged_in_as_same_credential
+          end
+
+          debug do
+            "Logged in as user #{request.authentication.username.inspect} but trying to onboard as #{@onboarding.username.inspect}"
+          end
+
+          Tron.failure :already_logged_in, step: :already_logged_in,
+                                           secret_key: @onboarding.secret_key,
+                                           username: @onboarding.username
+        end
+
+        # TODO: Check recently created?
+
+        def do_access_onboarding
+          @onboarding.update! accessed_at: Time.current if @onboarding.accessed_at.blank?
+
+          debug do
+            "Accessed Onboarding #{@onboarding.id.inspect} (Step #{@onboarding.step}) and Credential #{@onboarding.credential_id.inspect}"
+          end
+          Tron.success :onboarding_accessed, credential_id: @onboarding.credential_id,
+                                             step: @onboarding.step,
+                                             username: @onboarding.username,
+                                             mode: ::Booth::Mode.find(@onboarding.mode),
+                                             secret_key: @onboarding.secret_key,
+                                             allowed_modes: ::Booth::Mode.wrap(@onboarding.allowed_modes),
+                                             authenticator_id: @onboarding.authenticator_id.presence,
+                                             authenticator_nickname: @onboarding.authenticator_nickname.presence,
+                                             otp_provisioning_svg: @onboarding.otp_provisioning_svg,
+                                             otp_provisioning_url: @onboarding.otp_provisioning_url,
+                                             minlength: @onboarding.class.password_minlength,
+                                             passwordrules: @onboarding.class.passwordrules
+        end
+
+        def secret_key
+          params[:id]
+        end
+      end
+    end
+  end
+end