booth 0.0.1

data/lib/booth/userland/password_resets/transitions/update/choose_password.rb

@@ -0,0 +1,48 @@
+module Booth
+  module Userland
+    module PasswordResets
+      module Transitions
+        module Update
+          class ChoosePassword
+            include ::Booth::Concerns::Transition
+
+            option :password_reset
+
+            def self.applicable?(params:)
+              params&.key?(:password_reset) && params[:password_reset]&.key?(:password)
+            end
+
+            def call
+              do_check_password_reset
+                .on_success { do_update_password }
+            end
+
+            private
+
+            def do_check_password_reset
+              return Tron.failure :missing_password_reset unless password_reset.is_a?(::Booth::Models::PasswordReset)
+
+              Tron.success :password_reset_exists
+            end
+
+            def do_update_password
+              if password_reset.update password: password,
+                                       password_chosen_at: Time.current
+                debug { 'You chose a password' }
+                Tron.success :password_chosen
+              else
+                public_message = password_reset.errors.to_a.to_sentence
+                debug { "Could not choose password: #{public_message}" }
+                Tron.failure :password_update_failed, public_message:
+              end
+            end
+
+            def password
+              params&.require(:password_reset)&.permit(:password)&.[](:password)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/password_resets/transitions/update/confirm_password.rb

@@ -0,0 +1,54 @@
+module Booth
+  module Userland
+    module PasswordResets
+      module Transitions
+        module Update
+          class ConfirmPassword
+            include ::Booth::Concerns::Transition
+
+            option :password_reset
+
+            def self.applicable?(params:)
+              params.key?(:password_reset) && params[:password_reset].key?(:password_confirmation)
+            end
+
+            def call
+              do_compare_password
+                .on_success { do_update_password }
+            end
+
+            private
+
+            def do_compare_password
+              return Tron.success :passwords_match if @password_reset.authenticate_password(password_param)
+
+              @password_reset.errors.add :password_confirmation, :confirmation
+              public_message = password_reset.errors.to_a.to_sentence
+              debug { "Could not confirm password: #{public_message}" }
+              Tron.failure :password_did_not_match, public_message:
+            end
+
+            def do_update_password
+              if @password_reset.update(password_confirmed_at: Time.current, consumer_ip: request.ip)
+                debug { 'You confirmed your password' }
+                ::Booth::PasswordResets::PropagateToCredential.call(@password_reset)
+                Tron.success :password_confirmed,
+                             public_message: I18n.t('booth.password_successfully_reset')
+
+              else
+                debug do
+                  "The confirmation was correct but the update failed: #{password_reset.errors.to_a.to_sentence}"
+                end
+                Tron.failure :correct_password_confirmation_failed
+              end
+            end
+
+            def password_param
+              params.require(:password_reset).permit(:password_confirmation)[:password_confirmation]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/password_resets/transitions/update/reset_password.rb

@@ -0,0 +1,29 @@
+module Booth
+  module Userland
+    module PasswordResets
+      module Transitions
+        module Update
+          class ResetPassword
+            include ::Booth::Concerns::Transition
+
+            option :password_reset
+
+            def self.applicable?(params:)
+              params.key?(:reset_password)
+            end
+
+            def call
+              if password_reset.update password_chosen_at: nil, password_confirmed_at: nil
+                debug { 'The PasswordReset password was reset.' }
+                Tron.success :password_reset
+              else
+                debug { "Could not reset password: #{password_reset.errors.to_a.to_sentence}" }
+                Tron.failure :password_reset_failed
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/password_resets/update.rb

@@ -0,0 +1,65 @@
+module Booth
+  module Userland
+    module PasswordResets
+      class Update
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_patch!
+
+          do_find_password_reset
+            .on_success { do_check_scope }
+            .on_success { do_check_logged_out }
+            .on_success { do_transition }
+        end
+
+        private
+
+        def do_find_password_reset
+          finding = ::Booth::PasswordResets::Find.call(secret_key: params[:id])
+          return finding if finding.failure?
+
+          @password_reset = finding.password_reset
+          finding
+        end
+
+        def do_check_scope
+          ::Booth::Syntaxes::ScopeComparison.call this: scope, that: @password_reset.credential.scope
+        end
+
+        def do_check_logged_out
+          unless request.authentication.logged_in?
+            debug { "Good, nobody happens to be already logged in in scope #{scope}" }
+            return Tron.success :not_logged_in
+          end
+
+          debug { "When updating a new password, nobody should be logged in its scope #{scope.inspect}" }
+          Tron.failure :currently_logged_in
+        end
+
+        def after_transition
+          @password_reset.reload # Ensure the `password_reset` instance is in a valid state after a failed update
+          debug { "PasswordReset updated, now in status #{@password_reset.step}" }
+
+          # If (and only if!) this account is protected *only* by a password...
+          return unless @password_reset.completed? && @password_reset.credential.mode_username_and_password?
+
+          # ...then we log in right away.
+          ::Booth::Sessions::CreateAndLogin.call(credential: @password_reset.credential, request:)
+        end
+
+        def initialize_transition
+          transition.call(password_reset: @password_reset, request:)
+        end
+
+        def transitions
+          [
+            ::Booth::Userland::PasswordResets::Transitions::Update::ChoosePassword,
+            ::Booth::Userland::PasswordResets::Transitions::Update::ConfirmPassword,
+            ::Booth::Userland::PasswordResets::Transitions::Update::ResetPassword,
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/destroy.rb

@@ -0,0 +1,41 @@
+module Booth
+  module Userland
+    module Passwords
+      class Destroy
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_delete!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_require_eligible_credential
+            .on_success { do_destroy }
+        end
+
+        private
+
+        def do_require_eligible_credential
+          return Tron.success :can_remove_password if ::Booth::Credentials::Modes::PasswordRemovable.call(credential)
+
+          Tron.failure :credential_not_passwordable, public_message: I18n.t('booth.password_not_eligible')
+        end
+
+        def do_destroy
+          if credential.mode_username_and_webauth!
+            debug { 'Password has been removed from this credential' }
+            return Tron.success :password_removed, public_message: I18n.t('booth.password_removed')
+          end
+
+          Tron.failure :password_removal_failed
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/edit.rb

@@ -0,0 +1,54 @@
+module Booth
+  module Userland
+    module Passwords
+      class Edit
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Passwords::Guards::Manageable.call(credential:) { return _1 }
+          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_clear_timed_out_sudo
+            .on_success { do_edit_password }
+        end
+
+        private
+
+        delegate :sudo, :authentication, to: :request
+
+        def do_clear_timed_out_sudo
+          return Tron.success :sudo_still_granted if sudo.password?
+
+          # If you had chosen a new password and your sudo ran out,
+          # then we should also clear the chosen password again. Simply start all over.
+          storage.password_digest = nil
+          Tron.success :cleared_password_digest
+        end
+
+        def do_edit_password
+          Tron.success :editing_password, step:
+        end
+
+        def step
+          return :successfully_changed if storage.password_recently_changed?
+          return :enter_old_password unless sudo.password?
+          return :choose_new_password if storage.password_digest.blank?
+
+          :confirm_new_password
+        end
+
+        def storage
+          request.storage.password
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/guards/manageable.rb

@@ -0,0 +1,21 @@
+module Booth
+  module Userland
+    module Passwords
+      module Guards
+        class Manageable
+          include ::Booth::Logging
+          include ::Booth::MethodObject
+
+          option :credential
+
+          def call
+            return if ::Booth::Credentials::Modes::PasswordManageable.call(credential)
+
+            debug { 'Password is not relevant to this credential' }
+            yield Tron.failure :password_not_configurable, public_message: I18n.t('booth.password_unavailable')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/guards/removable.rb

@@ -0,0 +1,21 @@
+module Booth
+  module Userland
+    module Passwords
+      module Guards
+        class Removable
+          include ::Booth::Logging
+          include ::Booth::MethodObject
+
+          option :credential
+
+          def call
+            return if ::Booth::Credentials::Modes::PasswordRemovable.call(credential)
+
+            debug { 'Password is not removable from this credential' }
+            yield Tron.failure :password_not_removable, public_message: I18n.t('booth.password_unavailable')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/guards/sudo.rb

@@ -0,0 +1,21 @@
+module Booth
+  module Userland
+    module Passwords
+      module Guards
+        class Sudo
+          include ::Booth::MethodObject
+
+          option :request
+          option :credential
+
+          def call
+            return if credential.mode_first_time?
+            return if credential.mode_username_and_webauth?
+
+            request.sudo.guard_with_password { yield _1 }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/remove.rb

@@ -0,0 +1,34 @@
+module Booth
+  module Userland
+    module Passwords
+      class Remove
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Passwords::Guards::Removable.call(credential:) { return _1 }
+          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_render
+        end
+
+        private
+
+        def do_render
+          Tron.success :todo, step:
+        end
+
+        def step
+          ::Booth::Userland::Passwords::Transitions::Remove::Step.call(credential:)
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/show.rb

@@ -0,0 +1,32 @@
+module Booth
+  module Userland
+    module Passwords
+      class Show
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Passwords::Guards::Manageable.call(credential:) { return _1 }
+          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_show
+        end
+
+        private
+
+        def do_show
+          return Tron.success(:otp_addable, step: :add) if credential.mode_username_and_webauth?
+
+          Tron.success :manage_password, step: :show
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/sudo.rb

@@ -0,0 +1,55 @@
+module Booth
+  module Userland
+    module Passwords
+      class Sudo
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_post!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          do_find_credential
+            .on_success { do_require_credential_has_password }
+            .on_success { do_check_password }
+            .on_success { do_grant_sudo }
+        end
+
+        private
+
+        def do_find_credential
+          @credential = ::Booth::Models::Credential.find(request.authentication.credential_id)
+          return Tron.success :found_credential if @credential
+
+          Tron.failure :missing_credential
+        end
+
+        def do_require_credential_has_password
+          return Tron.success :credential_has_only_password if @credential.mode_username_and_password?
+          return Tron.success :credential_has_password_and_otp if @credential.mode_username_password_and_otp?
+          return Tron.success :credential_has_password_and_webauth if @credential.mode_username_password_and_webauth?
+
+          Tron.failure :credential_has_no_password, public_message: I18n.t('booth.password_not_configured')
+        end
+
+        def do_check_password
+          ::Booth::Credentials::PasswordAuthentication.call(
+            credential: @credential,
+            password: password_param,
+            ip: request.ip,
+            agent: request.agent
+          )
+        end
+
+        def do_grant_sudo
+          request.sudo.password!
+          Tron.success :password_sudo_granted
+        end
+
+        def password_param
+          params.require(:password).permit(:password)[:password]
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/transitions/remove/step.rb

@@ -0,0 +1,27 @@
+module Booth
+  module Userland
+    module Passwords
+      module Transitions
+        module Remove
+          class Step
+            include ::Booth::MethodObject
+
+            option :credential
+
+            def call
+              return :add_authenticator if authenticators.none?(&:supports_user_verification)
+
+              :remove
+            end
+
+            private
+
+            def authenticators
+              credential.authenticators.registered_scope
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/transitions/update/choose_password.rb

@@ -0,0 +1,62 @@
+module Booth
+  module Userland
+    module Passwords
+      module Transitions
+        module Update
+          class ChoosePassword
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.dig(:password, :new_password)
+            end
+
+            def call
+              do_check_sudo
+                .on_success { do_check_password }
+                .on_success { do_remember_password }
+            end
+
+            private
+
+            def do_check_sudo
+              return Tron.success :still_has_sudo if sudo.password?
+
+              Tron.failure :missing_sudo, public_message: I18n.t('booth.password_change_timeout',
+                                                                 lifespan_minutes: (sudo.lifespan / 60))
+            end
+
+            def do_check_password
+              @dummy_credential = ::Booth::Models::Credential.new(
+                password: password_param,
+                username: :dummy,
+                allowed_modes: [:first_time]
+              )
+              return Tron.success :password_is_acceptable if @dummy_credential.valid?
+
+              debug { 'The newly chosen password is not acceptable' }
+              Tron.failure :invalid_password, public_message: @dummy_credential.errors.full_messages.to_sentence
+            end
+
+            def do_remember_password
+              storage.password_digest = @dummy_credential.password_digest
+
+              Tron.success :remembered_password
+            end
+
+            def password_param
+              params.require(:password).permit(:new_password)[:new_password]
+            end
+
+            def storage
+              request.storage.password
+            end
+
+            def sudo
+              request.sudo
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/transitions/update/confirm_password.rb

@@ -0,0 +1,82 @@
+module Booth
+  module Userland
+    module Passwords
+      module Transitions
+        module Update
+          class ConfirmPassword
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.dig(:password, :password)
+            end
+
+            def call
+              do_check_sudo
+                .on_success { do_compare_password }
+                .on_success { do_update_credential }
+            end
+
+            private
+
+            def do_check_sudo
+              return Tron.success :still_has_sudo if sudo.password?
+
+              Tron.failure :missing_sudo, public_message: I18n.t('booth.password_change_timeout',
+                                                                 lifespan_minutes: (sudo.lifespan / 60))
+            end
+
+            def do_compare_password
+              @dummy_credential = ::Booth::Models::Credential.new(
+                password_digest: storage.password_digest,
+                password_confirmation: password_param,
+                username: :dummy,
+                allowed_modes: [:first_time]
+              )
+
+              if @dummy_credential.valid?
+                debug { 'The password confirmation was typed in correctly' }
+                return Tron.success :passwords_match
+              end
+
+              debug { 'The password confirmation did not match' }
+              Tron.failure :passwords_dont_match, public_message: @dummy_credential.errors.full_messages.to_sentence
+            end
+
+            def do_update_credential
+              credential = ::Booth::Models::Credential.find(authentication.credential_id)
+
+              if credential.update(password: password_param)
+                debug { "Successfully updated password of credential with ID #{credential.id}" }
+                storage.reset
+                storage.password_recently_changed!
+
+                # Prolong sudo to give the user more time to revoke all other sessions.
+                sudo.password!
+                return Tron.success :password_updated
+              end
+
+              debug { "Could not persist new password for  credential with ID #{credential.id}" }
+              Tron.failure :persistence_failed, public_message: credential.errors.full_messages.to_sentence
+            end
+
+            def password_param
+              params.require(:password).permit(:password)[:password]
+            end
+
+            def storage
+              request.storage.password
+            end
+
+            def authentication
+              request.authentication
+            end
+
+            def sudo
+              request.sudo
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/passwords/update.rb

@@ -0,0 +1,33 @@
+module Booth
+  module Userland
+    module Passwords
+      class Update
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_patch!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Passwords::Guards::Manageable.call(credential:) { return _1 }
+          ::Booth::Userland::Passwords::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_transition
+        end
+
+        private
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+
+        def transitions
+          [
+            ::Booth::Userland::Passwords::Transitions::Update::ChoosePassword,
+            # TODO: Add ResetPassword so that you can change your mind when confirming
+            ::Booth::Userland::Passwords::Transitions::Update::ConfirmPassword,
+          ]
+        end
+      end
+    end
+  end
+end