booth 0.0.1

data/lib/booth/userland/personal_contests/show.rb

@@ -0,0 +1,60 @@
+module Booth
+  module Userland
+    module PersonalContests
+      class Show
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          debug { 'You want to receive your personal contest...' }
+
+          if contest.failure?
+            debug { "This credential doesn't have any contest right now." }
+            return Tron.success :not_contested, step: :not_contested
+          end
+
+          if contest.recently_responded
+            debug { 'The current contest has already been responded to' }
+            return Tron.success :contest_responded, step: :contest_solved
+          end
+
+          step = case contest.reason
+                 when :login   then :remote_login
+                 when :support then :support_authentication
+                 else               raise "Unknown contest reason: #{contest.reason}"
+                 end
+
+          debug { 'You have a contest to respond to' }
+          Tron.success :you_are_contested,
+                       ip: contest.ip,
+                       agent: contest.agent.presence,
+                       location: contest.location.presence,
+                       browser_name: contest.browser_name,
+                       platform_name: contest.platform_name,
+                       browser_image_path: contest.browser_image_path,
+                       platform_image_path: contest.platform_image_path,
+                       step:
+        end
+
+        private
+
+        def credential
+          return @credential if defined?(@credential)
+
+          id = request.authentication.credential_id
+          @credential = ::Booth::Models::Credential.find_by(id:)
+        end
+
+        def contest
+          return unless credential
+          return @contest if defined?(@contest)
+
+          @contest = ::Booth::Contests::Get.call(credential_id: credential.id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/personal_contests/update.rb

@@ -0,0 +1,37 @@
+module Booth
+  module Userland
+    module PersonalContests
+      class Update
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_patch!
+
+          do_check_logged_in
+            .on_success { do_respond }
+        end
+
+        def do_check_logged_in
+          return Tron.success :logged_in if credential
+
+          Tron.failure :not_logged_in
+        end
+
+        def do_respond
+          ::Booth::Contests::Respond.call(scope:, contest: credential.contest, request:)
+        end
+
+        private
+
+        delegate :contest, to: :credential, private: true
+
+        def credential
+          return @credential if defined?(@credential)
+
+          credential_id = request.authentication.credential_id
+          @credential = ::Booth::Models::Credential.find_by(id: credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/recoveries/create.rb

@@ -0,0 +1,48 @@
+module Booth
+  module Userland
+    module Recoveries
+      class Create
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_post!
+
+          do_remember_email
+            .on_success { do_create_password_reset }
+        end
+
+        private
+
+        delegate :username, to: :storage, private: true
+
+        def do_remember_email
+          storage.email = ::Booth::Syntaxes::Email.call(email_param).normalized_invalid_email
+
+          Tron.success :remembered_email
+        end
+
+        def do_create_password_reset
+          creation = ::Booth::Recoveries::Create.call(
+            scope:,
+            email: email_param,
+            ip: request.ip
+          )
+
+          creation.on_success do
+            storage.email = nil
+          end
+
+          creation
+        end
+
+        def storage
+          request.storage.recovery
+        end
+
+        def email_param
+          params.require(:recovery).permit(:email)[:email]
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/recoveries/new.rb

@@ -0,0 +1,35 @@
+module Booth
+  module Userland
+    module Recoveries
+      class New
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+
+          if already_logged_in?
+            call_already_logged_in
+          else
+            Tron.failure :enter_email, step: :enter_email, email: storage.email
+          end
+        end
+
+        private
+
+        def call_already_logged_in
+          debug { "Looks like you're already logged in" }
+          Tron.success :logged_in, step: :already_logged_in
+        end
+
+        def already_logged_in?
+          request.authentication.logged_in?
+        end
+
+        def storage
+          request.storage.recovery
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/registrations/create.rb

@@ -0,0 +1,56 @@
+module Booth
+  module Userland
+    module Registrations
+      class Create
+        include ::Booth::Concerns::Action
+
+        option :allowed_modes
+
+        def call
+          request.must_be_post!
+
+          debug { "You want to register the username #{username_param.inspect}, let's see if it is taken." }
+          finding = ::Booth::Credentials::FindByUsername.call(username: username_param)
+          registration_storage.username = finding.normalized_invalid_username
+
+          finding.on_success do
+            debug { 'That username is taken. You should try to login instead.' }
+            login_storage.credential_for_username = finding.credential
+            public_message = I18n.t('booth.username_already_exists')
+            return Tron.success :username_exists, public_message:
+          end
+
+          debug { 'That username is available.' }
+          return finding unless finding.failure == :credential_not_found
+
+          creation = ::Booth::Credentials::CreateWithOnboarding.call(
+            username: finding.normalized_username,
+            allowed_modes:,
+            scope:
+          )
+
+          creation.on_success do
+            ::Booth::Sessions::CreateAndLogin.call(credential: creation.credential, request:)
+            return Tron.success :username_is_available, public_message: 'You have registered an account.'
+          end
+
+          Tron.failure :registration_failed, error: creation.error
+        end
+
+        private
+
+        def username_param
+          params.require(:registration).permit(:username)[:username]
+        end
+
+        def login_storage
+          request.storage.login
+        end
+
+        def registration_storage
+          request.storage.registration
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/registrations/new.rb

@@ -0,0 +1,39 @@
+module Booth
+  module Userland
+    module Registrations
+      class New
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+
+          if already_logged_in?
+            call_already_logged_in
+          else
+            Tron.failure :choose_username, step: :choose_username, username: storage.username
+          end
+        end
+
+        private
+
+        def call_already_logged_in
+          debug { "Looks like you're already logged in" }
+          Tron.success :logged_in, step: :already_logged_in
+        end
+
+        def already_logged_in?
+          request.authentication.logged_in?
+        end
+
+        def username
+          storage.username
+        end
+
+        def storage
+          request.storage.registration
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/sessions/destroy_one_or_other.rb

@@ -0,0 +1,41 @@
+module Booth
+  module Userland
+    module Sessions
+      class DestroyOneOrOther
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_delete!
+          request.must_be_logged_in!
+
+          do_transition
+        end
+
+        private
+
+        def transitions
+          if request.authentication.mode == :username_and_webauth
+            webauth_transitions
+          else
+            password_transitions
+          end
+        end
+
+        def webauth_transitions
+          [
+            ::Booth::Userland::Sessions::Transitions::Destroy::EnterWebauth,
+            ::Booth::Userland::Sessions::Transitions::Destroy::WebauthAuthenticationInitiation,
+            ::Booth::Userland::Sessions::Transitions::Destroy::WebauthAuthenticationVerification,
+          ]
+        end
+
+        def password_transitions
+          [
+            ::Booth::Userland::Sessions::Transitions::Destroy::EnterPassword,
+            ::Booth::Userland::Sessions::Transitions::Destroy::VerifyPassword,
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/sessions/index.rb

@@ -0,0 +1,27 @@
+module Booth
+  module Userland
+    module Sessions
+      class Index
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_logged_in!
+
+          do_fetch_sessions
+        end
+
+        private
+
+        def do_fetch_sessions
+          ::Booth::Sessions::Index.call credential_id: authentication.credential_id,
+                                        current_session_id: authentication.session_id
+        end
+
+        def authentication
+          request.authentication
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/sessions/show.rb

@@ -0,0 +1,31 @@
+module Booth
+  module Userland
+    module Sessions
+      # `DELETE /sessions/123` may present a page with a WebAuth authentication challenge.
+      # That challenge is responded to asynchronously and in that response the server destroys the session.
+      # After that, the page is reloaded by JS using `GET /sessions/123`, which is the `show` action.
+      # But we don't actually have a show action for sessions. We just informatively redirect to the index action.
+      class Show
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          unless request.authentication.mode == :username_and_webauth
+            return Tron.failure :only_applicable_when_passwordless
+          end
+
+          ::Booth::Userland::Sessions::Transitions::Show::EnterWebauth.call request:
+        end
+
+        private
+
+        def authentication
+          request.authentication
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/sessions/transitions/destroy/enter_password.rb

@@ -0,0 +1,50 @@
+module Booth
+  module Userland
+    module Sessions
+      module Transitions
+        module Destroy
+          class EnterPassword
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              !params[:revocation]
+            end
+
+            def call
+              if sudo.password?
+                if session_id_param
+                  debug { 'Having password sudo, revoking the desired session...' }
+                  return ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
+                                                        session_id: session_id_param
+                else
+                  debug { 'Having password sudo, revoking all other sessions...' }
+                  return ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
+                                                                 surviving_session_id: authentication.session_id
+                end
+              end
+
+              if session_id_param
+                Tron.failure :need_sudo_to_destroy_session,
+                             step: :enter_password_to_destroy,
+                             session_id: session_id_param
+              else
+                Tron.failure :need_sudo_to_destroy_all_other_sessions,
+                             step: :enter_password_to_destroy_all_others
+              end
+            end
+
+            def session_id_param
+              # If params[:id] is a UUID, then it's an ID for a `Booth::Models::Session` in the DB.
+              # If params[:id] is something else, then it's just a WebAuth Ceremony argument.
+              ::Booth::Syntaxes::Uuid.call(request.params[:id], raise_if_invalid: false).uuid
+            end
+
+            delegate :authentication, to: :request
+
+            delegate :sudo, to: :request
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/sessions/transitions/destroy/enter_webauth.rb

@@ -0,0 +1,56 @@
+module Booth
+  module Userland
+    module Sessions
+      module Transitions
+        module Destroy
+          class EnterWebauth
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              !params[:webauth]
+            end
+
+            def call
+              if sudo.webauth?
+                if session_id_param
+                  debug { 'Having webauth sudo, revoking the desired session...' }
+                  return ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
+                                                        session_id: session_id_param
+                else
+                  debug { 'Having webauth sudo, revoking all other sessions...' }
+                  return ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
+                                                                 surviving_session_id: authentication.session_id
+                end
+              end
+
+              if session_id_param
+                Tron.failure :need_sudo_to_destroy_session,
+                             step: :enter_webauth_to_destroy,
+                             session_id: session_id_param
+              else
+                Tron.failure :need_sudo_to_destroy_all_other_sessions,
+                             step: :enter_webauth_to_destroy_all_others
+              end
+            end
+
+            private
+
+            def session_id_param
+              # If params[:id] is a UUID, then it's an ID for a `Booth::Models::Session` in the DB.
+              # If params[:id] is something else, then it's just a WebAuth Ceremony argument.
+              ::Booth::Syntaxes::Uuid.call(request.params[:id], raise_if_invalid: false).uuid
+            end
+
+            def authentication
+              request.authentication
+            end
+
+            def sudo
+              request.sudo
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/sessions/transitions/destroy/verify_password.rb

@@ -0,0 +1,83 @@
+module Booth
+  module Userland
+    module Sessions
+      module Transitions
+        module Destroy
+          class VerifyPassword
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.dig(:revocation, :password)
+            end
+
+            def call
+              do_find_credential
+                .on_success { do_revoke_sessions }
+            end
+
+            private
+
+            def do_find_credential
+              @credential = ::Booth::Models::Credential.find_by(id: authentication.credential_id)
+              return Tron.success :found_credential if @credential
+
+              Tron.failure :missing_credential
+            end
+
+            def do_revoke_sessions
+              checking = ::Booth::Credentials::PasswordAuthentication.call(
+                credential: @credential,
+                password: password_param,
+                ip: request.ip,
+                agent: request.agent
+              )
+
+              if checking.success?
+                if session_id_param
+                  debug { 'Having password sudo, revoking the desired session...' }
+                  return ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
+                                                        session_id: session_id_param
+                else
+                  debug { 'Having password sudo, revoking all other sessions...' }
+                  return ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
+                                                                 surviving_session_id: authentication.session_id
+                end
+              end
+
+              public_message = checking.public_message if checking.respond_to?(:public_message)
+
+              if session_id_param
+                Tron.failure :need_sudo_to_destroy_session,
+                             step: :enter_password_to_destroy,
+                             session_id: session_id_param,
+                             public_message: public_message
+              else
+                Tron.failure :need_sudo_to_destroy_all_other_sessions,
+                             step: :enter_password_to_destroy_all_others,
+                             public_message: public_message
+              end
+            end
+
+            def session_id_param
+              # If params[:id] is a UUID, then it's an ID for a `Booth::Models::Session` in the DB.
+              # If params[:id] is something else, then it's just a WebAuth Ceremony argument.
+              ::Booth::Syntaxes::Uuid.call(request.params[:id], raise_if_invalid: false).uuid
+            end
+
+            def password_param
+              request.params.require(:revocation).permit(:password)[:password]
+            end
+
+            def authentication
+              request.authentication
+            end
+
+            def sudo
+              request.sudo
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/sessions/transitions/destroy/webauth_authentication_initiation.rb

@@ -0,0 +1,38 @@
+module Booth
+  module Userland
+    module Sessions
+      module Transitions
+        module Destroy
+          class WebauthAuthenticationInitiation
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params[:webauth] && !params[:type]
+            end
+
+            def call
+              debug { 'Preparing webauth challenge...' }
+              credential = ::Booth::Models::Credential.find(authentication.credential_id)
+              challenging = Booth::Credentials::WebauthChallenge.call(credential:)
+              result = Tron.success :webauth_for_you, public_json: challenging.options_for_get, http_status: :ok
+              debug { "The challenge is #{challenging.challenge}" }
+              sudo.webauthn_challenge = challenging.challenge
+              debug { "Responding with JSON: #{result.public_json}" }
+              result
+            end
+
+            private
+
+            def sudo
+              request.sudo
+            end
+
+            def authentication
+              request.authentication
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/sessions/transitions/destroy/webauth_authentication_verification.rb

@@ -0,0 +1,61 @@
+module Booth
+  module Userland
+    module Sessions
+      module Transitions
+        module Destroy
+          class WebauthAuthenticationVerification
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params[:webauth] && params[:type]
+            end
+
+            def call
+              do_find_challenge
+                .on_success { do_check_webauth }
+            end
+
+            # Helpers
+
+            def do_find_challenge
+              return Tron.success :challenge_ongoing if sudo.webauthn_challenge.present?
+
+              debug { 'There is no corresponding challenge in the session' }
+              Tron.failure :no_session_challenge, public_json: {}, http_status: :unprocessable_entity
+            end
+
+            def do_check_webauth
+              verification = ::Booth::Webauth::AuthenticationVerification.call(
+                request:,
+                credential_id: authentication.credential_id,
+                challenge: sudo.webauthn_challenge
+              )
+              return verification if verification.failure?
+
+              if session_id_param
+                ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
+                                               session_id: session_id_param
+              else
+                ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
+                                                        surviving_session_id: authentication.session_id
+              end
+
+              Tron.success :session_revocation_successful, public_json: {},
+                                                           http_status: :created
+            end
+
+            def session_id_param
+              # If params[:id] is a UUID, then it's an ID for a `Booth::Models::Session` in the DB.
+              # If params[:id] is something else, then it's just a WebAuth Ceremony argument.
+              ::Booth::Syntaxes::Uuid.call(request.params[:id], raise_if_invalid: false).uuid
+            end
+
+            delegate :authentication, to: :request
+
+            delegate :sudo, to: :request
+          end
+        end
+      end
+    end
+  end
+end