booth 0.0.1

data/lib/booth/userland/otps/destroy.rb

@@ -0,0 +1,42 @@
+module Booth
+  module Userland
+    module Otps
+      class Destroy
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_delete!
+          request.must_be_html!
+          request.must_be_logged_in!
+          request.sudo.guard_with_otp { return _1 }
+
+          do_require_eligible_credential
+            .on_success { do_destroy }
+        end
+
+        private
+
+        def do_require_eligible_credential
+          return Tron.success :can_remove_otp if ::Booth::Credentials::Modes::OtpRemovable.call(credential)
+
+          Tron.failure :credential_not_otpable, public_message: I18n.t('booth.otp_not_eligible')
+        end
+
+        def do_destroy
+          if credential.mode_username_and_password!
+            credential.otp_regenerate_secret
+            credential.save # Not critical if this one fails
+
+            return Tron.success :otp_removed, public_message: I18n.t('booth.otp_removed')
+          end
+
+          Tron.failure :otp_removal_failed
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/otps/edit.rb

@@ -0,0 +1,72 @@
+module Booth
+  module Userland
+    module Otps
+      class Edit
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Otps::Guards::Manageable.call(credential:) { return _1 }
+          ::Booth::Userland::Otps::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_require_eligible_credential
+            # .on_success { do_clear_previous_editing }
+            .on_success { do_ensure_temporary_secret_key }
+            .on_success { do_reveal_otp_secret }
+        end
+
+        private
+
+        def do_require_eligible_credential
+          return Tron.success :can_add_otp if ::Booth::Credentials::Modes::OtpAddable.call(credential)
+          return Tron.success :can_change_otp if ::Booth::Credentials::Modes::OtpChangeable.call(credential)
+
+          Tron.failure :credential_not_otpable, public_message: I18n.t('booth.otp_not_eligible')
+        end
+
+        # Hm, tests failed with this.
+        # def do_clear_previous_editing
+        #   return Tron.success :no_previous_editing unless storage.secret_key_recently_changed?
+        #   return Tron.success :reset_not_requested unless request.params[:reset]
+
+        #   #storage.reset
+        #   Tron.success :previous_editing_cleared
+        # end
+
+        def do_ensure_temporary_secret_key
+          return Tron.success :secret_key_exists if storage.secret_key
+
+          storage.generate_secret_key!
+          Tron.success :secret_generated
+        end
+
+        def do_reveal_otp_secret
+          dummy = ::Booth::Models::Credential.new otp_secret_key: storage.secret_key, scope: scope
+
+          Tron.success :register_otp, step:,
+                                      otp_provisioning_svg: dummy.otp_provisioning_svg,
+                                      otp_provisioning_url: dummy.otp_provisioning_url
+        end
+
+        def step
+          return :successfully_changed if storage.secret_key_recently_changed?
+
+          return :confirm if storage.secret_key_has_been_seen?
+
+          :register
+        end
+
+        def storage
+          request.storage.otp
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/otps/guards/manageable.rb

@@ -0,0 +1,21 @@
+module Booth
+  module Userland
+    module Otps
+      module Guards
+        class Manageable
+          include ::Booth::Logging
+          include ::Booth::MethodObject
+
+          option :credential
+
+          def call
+            return if ::Booth::Credentials::Modes::OtpManageable.call(credential)
+
+            debug { 'OTP is not relevant to this credential' }
+            yield Tron.failure :otp_not_configurable, public_message: I18n.t('booth.otp_unavailable')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/otps/guards/sudo.rb

@@ -0,0 +1,23 @@
+module Booth
+  module Userland
+    module Otps
+      module Guards
+        class Sudo
+          include ::Booth::MethodObject
+
+          option :request
+          option :credential
+
+          def call
+            return if credential.mode_first_time?
+            return if credential.mode_username_and_password?
+            return if credential.mode_username_password_and_webauth?
+            return if credential.mode_username_and_webauth?
+
+            request.sudo.guard_with_otp { yield _1 }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/otps/show.rb

@@ -0,0 +1,36 @@
+module Booth
+  module Userland
+    module Otps
+      class Show
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Otps::Guards::Manageable.call(credential:) { return _1 }
+          ::Booth::Userland::Otps::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_show
+        end
+
+        private
+
+        def do_show
+          if credential.mode_username_password_and_otp?
+            return Tron.success :current_otp, step: :show,
+                                              otp_provisioning_svg: credential.otp_provisioning_svg,
+                                              otp_provisioning_url: credential.otp_provisioning_url
+          end
+
+          Tron.success :otp_addable, step: :add
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/otps/sudo.rb

@@ -0,0 +1,51 @@
+module Booth
+  module Userland
+    module Otps
+      class Sudo
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_post!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          do_find_credential
+            .on_success { do_require_credential_has_otp }
+            .on_success { do_check_code }
+            .on_success { do_grant_sudo }
+        end
+
+        private
+
+        def do_find_credential
+          @credential = ::Booth::Models::Credential.find(request.authentication.credential_id)
+          return Tron.success :found_credential if @credential
+
+          Tron.failure :missing_credential
+        end
+
+        def do_require_credential_has_otp
+          return Tron.success :credential_has_otp if @credential.mode_username_password_and_otp?
+
+          Tron.failure :credential_has_no_otp, public_message: I18n.t('booth.otp_unavailable')
+        end
+
+        def do_check_code
+          ::Booth::Credentials::OtpAuthentication.call credential: @credential,
+                                                       code: code_param,
+                                                       ip: request.ip,
+                                                       agent: request.agent
+        end
+
+        def do_grant_sudo
+          request.sudo.otp!
+          Tron.success :otp_sudo_granted
+        end
+
+        def code_param
+          params.require(:otp).permit(:otp)[:otp]
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/otps/transitions/update/confirm.rb

@@ -0,0 +1,84 @@
+module Booth
+  module Userland
+    module Otps
+      module Transitions
+        module Update
+          class Confirm
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.key?(:otp) && params[:otp].key?(:otp_confirmation)
+            end
+
+            def call
+              do_check_secret_key
+                .on_success { do_find_credential }
+                .on_success { do_require_eligible_credential }
+                .on_success { do_compare_code }
+                .on_success { do_update_credential }
+                .on_success { do_audit }
+            end
+
+            private
+
+            def do_check_secret_key
+              return Tron.success :secret_key_exists if storage.secret_key.present?
+
+              Tron.failure :missing_secret_key
+            end
+
+            def do_find_credential
+              @credential = ::Booth::Models::Credential.find(request.authentication.credential_id)
+              return Tron.success :found_credential if @credential
+
+              Tron.failure :missing_credential
+            end
+
+            def do_require_eligible_credential
+              return Tron.success :can_add_otp if ::Booth::Credentials::Modes::OtpAddable.call(@credential)
+              return Tron.success :can_change_otp if ::Booth::Credentials::Modes::OtpChangeable.call(@credential)
+
+              Tron.failure :credential_not_otpable, public_message: I18n.t('booth.otp_not_eligible')
+            end
+
+            def do_compare_code
+              @credential.otp_secret_key = storage.secret_key
+              return Tron.success :correct_code if @credential.authenticate_otp(code_param)
+
+              debug { "Provided code #{code_param} did not match expected code #{@credential.otp_code}" }
+              Tron.failure :wrong_code, public_message: I18n.t('booth.wrong_otp')
+            end
+
+            def do_update_credential
+              @credential.mode = :username_password_and_otp
+
+              if @credential.save
+                request.sudo.otp!
+                debug { 'You confirmed your newly changed otp' }
+                return Tron.success :otp_confirmed
+              end
+
+              debug { "The confirmation was correct but the update failed: #{@credential.errors.to_a.to_sentence}" }
+              Tron.failure :correct_otp_confirmation_failed
+            end
+
+            def do_audit
+              ::Booth::Audits::Register::ChangedOtp.call credential: @credential, ip: request.ip, agent: request.agent
+              storage.secret_key_recently_changed!
+
+              Tron.success :audit_created
+            end
+
+            def code_param
+              params.require(:otp).permit(:otp_confirmation)[:otp_confirmation]
+            end
+
+            def storage
+              request.storage.otp
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/otps/transitions/update/register.rb

@@ -0,0 +1,40 @@
+module Booth
+  module Userland
+    module Otps
+      module Transitions
+        module Update
+          class Register
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params&.key?(:register)
+            end
+
+            def call
+              do_check_secret_key
+                .on_success { do_register_otp }
+            end
+
+            private
+
+            def do_check_secret_key
+              return Tron.success :secret_key_exists if storage.secret_key.present?
+
+              Tron.failure :missing_secret_key
+            end
+
+            def do_register_otp
+              storage.secret_key_has_been_seen!
+
+              Tron.success :otp_secret_registered
+            end
+
+            def storage
+              request.storage.otp
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/otps/transitions/update/reset.rb

@@ -0,0 +1,31 @@
+module Booth
+  module Userland
+    module Otps
+      module Transitions
+        module Update
+          class Reset
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.key?(:reset)
+            end
+
+            def call
+              do_reset
+            end
+
+            private
+
+            def do_reset
+              storage.reset
+            end
+
+            def storage
+              request.storage.otp
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/otps/update.rb

@@ -0,0 +1,34 @@
+module Booth
+  module Userland
+    module Otps
+      class Update
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_patch!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Otps::Guards::Manageable.call(credential:) { return _1 }
+          ::Booth::Userland::Otps::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_transition
+        end
+
+        private
+
+        def transitions
+          [
+            ::Booth::Userland::Otps::Transitions::Update::Confirm,
+            ::Booth::Userland::Otps::Transitions::Update::Register,
+            ::Booth::Userland::Otps::Transitions::Update::Reset,
+          ]
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/password_resets/create.rb

@@ -0,0 +1,73 @@
+module Booth
+  module Userland
+    module PasswordResets
+      class Create
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_post!
+
+          do_check_logged_out
+            .on_success { do_find_credential }
+            .on_success { do_remember_email }
+            .on_success { do_create_password_reset }
+        end
+
+        private
+
+        delegate :username, to: :storage, private: true
+
+        def do_check_logged_out
+          unless request.authentication.logged_in?
+            debug { "Good, nobody happens to be already logged in in scope #{request.scope}" }
+            return Tron.success :not_logged_in
+          end
+
+          debug do
+            "Logged in as user #{request.authentication.username.inspect} but trying to request password reset"
+          end
+          Tron.failure :logged_in_user_cannot_reset_password, public_message: I18n.t('booth.logged_in_user_cannot_reset_password')
+        end
+
+        def do_find_credential
+          return Tron.success :known_credential if login_storage.credential_for_username
+
+          Tron.failure :unknown_credential, public_message: I18n.t('booth.password_reset_needs_username')
+        end
+
+        def do_remember_email
+          password_reset_storage.email = ::Booth::Syntaxes::Email.call(email_param).normalized_invalid_email
+
+          Tron.success :remembered_email
+        end
+
+        def do_create_password_reset
+          creation = ::Booth::PasswordResets::Create.call(
+            credential: login_storage.credential_for_username,
+            email: email_param,
+            ip: request.ip,
+            agent: request.agent
+          )
+
+          creation.on_success do
+            password_reset_storage.email = nil
+          end
+
+          creation
+        end
+
+        def login_storage
+          request.storage.login
+        end
+
+        def password_reset_storage
+          request.storage.password_reset
+        end
+
+        def email_param
+          params.require(:password_reset).permit(:email)[:email]
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/password_resets/guards/logged_out.rb

@@ -0,0 +1,21 @@
+module Booth
+  module Userland
+    module PasswordResets
+      module Guards
+        class LoggedOut
+          include ::Booth::MethodObject
+          include ::Booth::Logging
+
+          option :request
+
+          def call
+            return Tron.success :not_logged_in unless request.authentication.logged_in?
+
+            debug { "Logged in as user #{request.authentication.username.inspect} but trying to password reset" }
+            yield Tron.success :logged_in_user_cannot_reset_password, step: :logout_first
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/password_resets/new.rb

@@ -0,0 +1,57 @@
+module Booth
+  module Userland
+    module PasswordResets
+      class New
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+
+          ::Booth::Userland::PasswordResets::Guards::LoggedOut.call(request:) { return _1 }
+
+          do_find_credential
+            .on_success { do_prepare_reset_form }
+        end
+
+        private
+
+        delegate :username, to: :storage, private: true
+
+        def do_find_credential
+          return Tron.success :known_credential if login_storage.credential_for_username
+
+          debug { "I don't know the username for a password reset" }
+          Tron.failure :unknown_credential, public_message: I18n.t('booth.password_reset_needs_username')
+        end
+
+        def do_prepare_reset_form
+          creation = ::Booth::PasswordResets::Create.call(
+            credential: login_storage.credential_for_username,
+            email: nil,
+            ip: request.ip,
+            agent: request.agent
+          )
+
+          if creation.failure == :blank_email
+            debug { 'Password reset is possible, once email was provided' }
+            return Tron.success :email_address_needed, username: login_storage.username,
+                                                       email: password_reset_storage.email,
+                                                       step: :new
+          end
+
+          # Because we did not pass in an email, this will never be successful.
+          creation
+        end
+
+        def login_storage
+          request.storage.login
+        end
+
+        def password_reset_storage
+          request.storage.password_reset
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/password_resets/show.rb

@@ -0,0 +1,77 @@
+module Booth
+  module Userland
+    module PasswordResets
+      class Show
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+
+          do_find_password_reset
+            .on_success { do_check_scope }
+            .on_success { do_check_logged_out }
+            .on_success { do_access_password_reset }
+        end
+
+        def do_find_password_reset
+          finding = ::Booth::PasswordResets::Find.call(secret_key: secret_key_param)
+          return finding if finding.failure?
+
+          @password_reset = finding.password_reset
+          finding
+        end
+
+        def do_check_scope
+          ::Booth::Syntaxes::ScopeComparison.call this: request.scope, that: @password_reset.credential.scope
+        end
+
+        def do_check_logged_out
+          unless request.authentication.logged_in?
+            debug { "Good, nobody happens to be already logged in in scope #{request.scope}" }
+            return Tron.success :not_logged_in
+          end
+
+          if request.authentication.logged_in_as?(credential: @password_reset.credential)
+            debug { "#{@password_reset.credential.username} is already logged in in scope #{request.scope}" }
+            return Tron.success :logged_in_as_same_credential
+          end
+
+          # This is not a security issue (the reset link status is checked elsewhere),
+          # but we should not ask the user to logout knowing that password reset is unavailble.
+          if %i[completed timed_out].include?(@password_reset.step)
+            return Tron.failure :wrong_user_and_reset_unavailable, step: @password_reset.step
+          end
+
+          debug do
+            "Logged in as user #{request.authentication.username.inspect} but trying to reset password as #{@password_reset.credential.username.inspect}"
+          end
+          Tron.failure :wrong_user_logged_in, step: :wrong_user_logged_in,
+                                              secret_key: @password_reset.secret_key,
+                                              username: @password_reset.credential.username
+        end
+
+        def do_access_password_reset
+          # Storing the consumer IP for now, since we already have it.
+          if @password_reset.accessed_at.blank?
+            @password_reset.update!(accessed_at: Time.current, consumer_ip: request.ip)
+          end
+
+          debug do
+            "Accessed PasswordReset with ID #{@password_reset.id.inspect} and Credential ID #{@password_reset.credential_id.inspect}"
+          end
+          Tron.success :password_reset_accessed, credential_id: @password_reset.credential.id,
+                                                 step: @password_reset.step,
+                                                 username: @password_reset.credential.username,
+                                                 secret_key: @password_reset.secret_key,
+                                                 minlength: @password_reset.class.password_minlength,
+                                                 passwordrules: @password_reset.class.passwordrules
+        end
+
+        def secret_key_param
+          params[:id]
+        end
+      end
+    end
+  end
+end