booth 0.0.1

data/lib/booth/userland/onboardings/transitions/update/choose_mode.rb

@@ -0,0 +1,58 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class ChooseMode
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              # `mode` sets to a specific mode and `reset` clears any mode.
+              params.key?(:mode) || params.key?(:reset)
+            end
+
+            def call
+              do_reset_password
+                .on_success { do_reset_otp }
+                .on_success { do_reset_webauth }
+                .on_success { do_update_mode }
+            end
+
+            private
+
+            def do_reset_password
+              ::Booth::Userland::Onboardings::Transitions::Update::ResetPassword.call(onboarding:,
+                                                                                      request:)
+            end
+
+            def do_reset_otp
+              ::Booth::Userland::Onboardings::Transitions::Update::ResetOtp.call(onboarding:,
+                                                                                 request:)
+            end
+
+            def do_reset_webauth
+              ::Booth::Userland::Onboardings::Transitions::Update::ResetWebauth.call(onboarding:,
+                                                                                     request:)
+            end
+
+            def do_update_mode
+              if onboarding.update mode: mode_param
+                debug { "You chose the mode #{@onboarding.mode.inspect}" }
+                return Tron.success :mode_chosen
+              end
+
+              debug { "Could not choose mode #{mode_param.inspect}: #{onboarding.errors.to_a.to_sentence}" }
+              Tron.failure :mode_update_failed
+            end
+
+            def mode_param
+              params[:mode] || 'first_time'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/choose_password.rb

@@ -0,0 +1,41 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class ChoosePassword
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params.key?(:onboarding) && params[:onboarding].key?(:password)
+            end
+
+            def call
+              do_update_password
+            end
+
+            private
+
+            def do_update_password
+              if onboarding.update password: password_param,
+                                   password_chosen_at: Time.current
+                debug { 'You chose a password' }
+                return Tron.success :password_chosen
+              end
+
+              public_message = onboarding.errors.to_a.to_sentence
+              debug { "Could not choose password: #{public_message}" }
+              Tron.failure :password_update_failed, public_message:
+            end
+
+            def password_param
+              params.require(:onboarding).permit(:password)[:password]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/choose_webauth_nickname.rb

@@ -0,0 +1,50 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class ChooseWebauthNickname
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params&.key?(:onboarding) && params[:onboarding]&.key?(:authenticator_nickname)
+            end
+
+            def call
+              do_check_blank_nickname
+                .on_success { do_update_webauth }
+            end
+
+            private
+
+            def do_check_blank_nickname
+              return Tron.success :nickname_is_present if nickname_param.present?
+
+              onboarding.errors.add(:authenticator_nickname, :blank)
+              public_message = onboarding.errors.to_a.to_sentence
+              debug { 'The nickname was blank' }
+              Tron.failure :nickname_is_blank, public_message:
+            end
+
+            def do_update_webauth
+              if onboarding.update authenticator_nickname: nickname_param
+                debug { 'The nickname successfully changed' }
+                Tron.success :webauth_nickname_saved
+              else
+                public_message = onboarding.errors.to_a.to_sentence
+                debug { "The nickname could not be updated: #{public_message}" }
+                Tron.failure :webauth_nickname_failed, public_message:
+              end
+            end
+
+            def nickname_param
+              params.require(:onboarding).permit(:authenticator_nickname)[:authenticator_nickname]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/confirm_otp.rb

@@ -0,0 +1,58 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class ConfirmOtp
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params.key?(:onboarding) && params[:onboarding].key?(:otp_confirmation)
+            end
+
+            def call
+              do_check_otp_code_syntax
+                .on_success { do_authenticate_otp }
+                .on_success { do_update_confirmation }
+            end
+
+            private
+
+            def do_check_otp_code_syntax
+              check = ::Booth::Syntaxes::Otp.call(code_param)
+              return check if check.failure?
+
+              @normalized_otp_code = check.normalized_otp
+              check
+            end
+
+            def do_authenticate_otp
+              return Tron.success :correct_code if @onboarding.authenticate_otp(@normalized_otp_code)
+
+              @onboarding.errors.add :base, I18n.t('booth.wrong_otp')
+              public_message = onboarding.errors.to_a.to_sentence
+              debug { "Could not confirm otp: #{public_message}" }
+              Tron.failure :otp_did_not_match, public_message:
+            end
+
+            def do_update_confirmation
+              if @onboarding.update(otp_confirmed_at: Time.current)
+                debug { 'You confirmed your otp' }
+                return Tron.success :otp_confirmed
+              end
+
+              debug { "The confirmation was correct but the update failed: #{onboarding.errors.to_a.to_sentence}" }
+              Tron.failure :correct_otp_confirmation_failed
+            end
+
+            def code_param
+              params.require(:onboarding).permit(:otp_confirmation)[:otp_confirmation]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/confirm_password.rb

@@ -0,0 +1,49 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class ConfirmPassword
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params.key?(:onboarding) && params[:onboarding].key?(:password_confirmation)
+            end
+
+            def call
+              do_authenticate_password
+                .on_success { do_update_confirmation }
+            end
+
+            private
+
+            def do_authenticate_password
+              return Tron.success :password_matches if @onboarding.authenticate_password(password)
+
+              @onboarding.errors.add :password_confirmation, :confirmation
+              public_message = onboarding.errors.to_a.to_sentence
+              debug { "Could not confirm password: #{public_message}" }
+              Tron.failure :password_did_not_match, public_message:
+            end
+
+            def do_update_confirmation
+              if @onboarding.update(password_confirmed_at: Time.current)
+                debug { 'You confirmed your password' }
+                return Tron.success :password_confirmed
+              end
+
+              debug { "The confirmation was correct but the update failed: #{onboarding.errors.to_a.to_sentence}" }
+              Tron.failure :correct_password_confirmation_failed
+            end
+
+            def password
+              params.require(:onboarding).permit(:password_confirmation)[:password_confirmation]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/register_otp.rb

@@ -0,0 +1,31 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class RegisterOtp
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params&.key?(:register_otp) && !params&.key?(:onboarding)
+            end
+
+            def call
+              do_register
+            end
+
+            private
+
+            def do_register
+              return Tron.success :otp_secret_regenerated if onboarding.update(otp_registered_at: Time.current)
+
+              Tron.failure :generating_otp_secret_failed
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/reset_otp.rb

@@ -0,0 +1,40 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class ResetOtp
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params.key?(:reset_otp)
+            end
+
+            def call
+              do_regenerate_secret
+                .on_success { do_reset_confirmation }
+            end
+
+            def do_regenerate_secret
+              return Tron.success :secret_regenerated if onboarding.otp_regenerate_secret
+
+              Tron.failure :secret_regeneration_failed
+            end
+
+            def do_reset_confirmation
+              if onboarding.update(otp_registered_at: nil, otp_confirmed_at: nil)
+                debug { 'The Onboarding otp was reset.' }
+                return Tron.success :otp_reset
+              end
+
+              debug { "Could not reset otp: #{onboarding.errors.to_a.to_sentence}" }
+              Tron.failure :otp_reset_failed
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/reset_password.rb

@@ -0,0 +1,35 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class ResetPassword
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params.key?(:reset_password)
+            end
+
+            def call
+              do_reset_password_confirmation
+            end
+
+            private
+
+            def do_reset_password_confirmation
+              if onboarding.update(password_chosen_at: nil, password_confirmed_at: nil)
+                debug { 'The Onboarding password was reset.' }
+                return Tron.success :password_reset
+              end
+
+              debug { "Could not reset password: #{onboarding.errors.to_a.to_sentence}" }
+              Tron.failure :password_reset_failed
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/reset_webauth.rb

@@ -0,0 +1,46 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class ResetWebauth
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params.key?(:reset_webauth)
+            end
+
+            def call
+              do_clear_webauth
+            end
+
+            private
+
+            def do_clear_webauth
+              if onboarding.update(niled_attributes)
+                debug { 'The Onboarding webauth was reset.' }
+                return Tron.success :webauth_reset
+              end
+
+              debug { "Could not reset webauth: #{onboarding.errors.to_a.to_sentence}" }
+              Tron.failure :webauth_reset_failed
+            end
+
+            def niled_attributes
+              {
+                webauthn_id: nil,
+                authenticator_id: nil,
+                authenticator_nickname: nil,
+                authenticator_challenge: nil,
+                authenticator_public_key: nil,
+                authenticator_sign_count: nil
+              }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/webauth_authentication_initiation.rb

@@ -0,0 +1,40 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class WebauthAuthenticationInitiation
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params&.key?(:test_webauth) && !params&.key?(:onboarding)
+            end
+
+            def call
+              do_challenge
+            end
+
+            private
+
+            def do_challenge
+              webauth = ::Booth::Webauth::OptionsForGet.call(
+                allowed_device_ids: onboarding.authenticator_id,
+                requires_user_verification: onboarding.requires_user_verification?
+              )
+
+              debug { "Remembering test challenge #{webauth.challenge.inspect}" }
+
+              if onboarding.update authenticator_challenge: webauth.challenge
+                Tron.success :test_challenge_created, public_json: webauth.as_json, http_status: :created
+              else
+                Tron.failure :storing_test_challenge_failed
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/webauth_authentication_verification.rb

@@ -0,0 +1,59 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class WebauthAuthenticationVerification
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params&.key?(:test_webauth) && params[:onboarding]&.key?(:rawId)
+            end
+
+            def call
+              do_verify_response
+                .on_success { do_persist_confirmation }
+            end
+
+            private
+
+            def do_verify_response
+              debug { 'Verifying challenge...' }
+              # TODO: Replate with ::Booth::Webauth::AuthenticationVerification (?)
+              webauth.verify(@onboarding.authenticator_challenge,
+                             public_key: @onboarding.authenticator_public_key,
+                             sign_count: @onboarding.authenticator_sign_count)
+
+              Tron.success :challenge_response_correct
+            rescue WebAuthn::Error => e
+              debug { "Webauth Handshake failed: #{e.message}" }
+              Tron.failure :invalid_challenge_response
+            end
+
+            def do_persist_confirmation
+              debug { 'Updating succeeded sign count and authenticator confirmation...' }
+              if onboarding.update(authenticator_sign_count: webauth.sign_count,
+                                   authenticator_confirmed_at: Time.current)
+
+                return Tron.success :webauth_authentication_verification_successful, public_json: {},
+                                                                                     http_status: :created
+              end
+
+              Tron.failure :storing_response_failed
+            end
+
+            def webauth
+              @webauth ||= ::WebAuthn::Credential.from_get(onboarding_params)
+            end
+
+            def onboarding_params
+              params.require(:onboarding).permit!
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/webauth_registration_initiation.rb

@@ -0,0 +1,46 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class WebauthRegistrationInitiation
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params&.key?(:register_webauth) && !params&.key?(:onboarding)
+            end
+
+            def call
+              do_challenge
+            end
+
+            private
+
+            def do_challenge
+              debug { "Remembering registration challenge #{webauth.challenge.inspect}" }
+
+              if onboarding.update authenticator_challenge: webauth.challenge
+                return Tron.success :registration_challenge_created, public_json: webauth.as_json,
+                                                                     http_status: :created
+              end
+
+              Tron.failure :storing_registration_challenge_failed
+            end
+
+            def webauth
+              @webauth ||= ::Booth::Webauth::OptionsForCreate.call(
+                webauthn_id: onboarding.webauthn_id,
+                username: onboarding.credential.username,
+                requires_user_verification: onboarding.requires_user_verification?
+                # No need to exclude existing hardware keys.
+                # You can not register more than one hardware key in this onboarding.
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/transitions/update/webauth_registration_verification.rb

@@ -0,0 +1,56 @@
+module Booth
+  module Userland
+    module Onboardings
+      module Transitions
+        module Update
+          class WebauthRegistrationVerification
+            include ::Booth::Concerns::Transition
+
+            option :onboarding
+
+            def self.applicable?(params:)
+              params&.key?(:register_webauth) && params[:onboarding]&.key?(:rawId)
+            end
+
+            def call
+              do_verify_response
+                .on_success { do_persist_keys }
+            end
+
+            private
+
+            def do_verify_response
+              debug { "Verifying challenge #{@onboarding.authenticator_challenge.inspect}" }
+              webauth.verify(@onboarding.authenticator_challenge)
+
+              Tron.success :challenge_response_correct
+            rescue WebAuthn::Error => e
+              debug { "Webauth Handshake failed: #{e.message}" }
+              Tron.failure :invalid_challenge_response
+            end
+
+            def do_persist_keys
+              debug { "Persisting authenticator information, the sign count is now at #{webauth.sign_count}..." }
+              if onboarding.update(authenticator_id: ::Base64.strict_encode64(webauth.raw_id),
+                                   authenticator_public_key: webauth.public_key,
+                                   authenticator_sign_count: webauth.sign_count)
+
+                return Tron.success :challenge_accepted, public_json: {}, http_status: :created
+              end
+
+              Tron.failure :storing_response_failed
+            end
+
+            def webauth
+              @webauth ||= ::WebAuthn::Credential.from_create(onboarding_params)
+            end
+
+            def onboarding_params
+              params.require(:onboarding).permit!
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/onboardings/update.rb

@@ -0,0 +1,68 @@
+module Booth
+  module Userland
+    module Onboardings
+      class Update
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_patch!
+
+          do_find_onboarding
+            .on_success { do_check_propagation }
+            .on_success { do_transition }
+        end
+
+        private
+
+        def do_find_onboarding
+          finding = ::Booth::Onboardings::Find.call(secret_key: params[:id])
+          return finding if finding.failure?
+
+          @onboarding = finding.onboarding
+          finding
+        end
+
+        def do_check_propagation
+          return Tron.success :not_yet_propagated unless @onboarding.propagated?
+
+          Tron.failure :already_propagated
+        end
+
+        def initialize_transition
+          transition.call(onboarding: @onboarding, request:)
+        end
+
+        def after_transition
+          @onboarding.reload # Ensure the onboarding instance is in an invalid state after a failed update attempt.
+          debug { "Onboarding updated, now in step #{@onboarding.step}" }
+          return unless @onboarding.completed?
+
+          ::Booth::Onboardings::PropagateToCredential.call(@onboarding, ip: request.ip, agent: request.agent)
+          # The `CreateRegistration` flow may already have logged you in.
+          return if request.authentication.logged_in?
+
+          debug { 'Nobody is logged in, so this Onboarding was without prior self-registration. Logging you in now...'}
+          ::Booth::Sessions::CreateAndLogin.call(credential: @onboarding.credential, request:)
+        end
+
+        def transitions # rubocop:disable Metrics/MethodLength
+          [
+            ::Booth::Userland::Onboardings::Transitions::Update::ChooseMode,
+            ::Booth::Userland::Onboardings::Transitions::Update::ChoosePassword,
+            ::Booth::Userland::Onboardings::Transitions::Update::ChooseWebauthNickname,
+            ::Booth::Userland::Onboardings::Transitions::Update::ConfirmOtp,
+            ::Booth::Userland::Onboardings::Transitions::Update::ConfirmPassword,
+            ::Booth::Userland::Onboardings::Transitions::Update::RegisterOtp,
+            ::Booth::Userland::Onboardings::Transitions::Update::ResetOtp,
+            ::Booth::Userland::Onboardings::Transitions::Update::ResetPassword,
+            ::Booth::Userland::Onboardings::Transitions::Update::ResetWebauth,
+            ::Booth::Userland::Onboardings::Transitions::Update::WebauthAuthenticationInitiation,
+            ::Booth::Userland::Onboardings::Transitions::Update::WebauthAuthenticationVerification,
+            ::Booth::Userland::Onboardings::Transitions::Update::WebauthRegistrationInitiation,
+            ::Booth::Userland::Onboardings::Transitions::Update::WebauthRegistrationVerification,
+          ]
+        end
+      end
+    end
+  end
+end